TABLE OF CONTENTS CUPRINS I. Here's the Situation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . i Iata situatia II. Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii Prefata III. NCPL Introduction to Corporate Compliance Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Introducerea in conformitate corporativa - Principii III. Compliance Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Principii conformitate ESTABLISHING COMPLIANCE PROGRAMS Stabilirea programelor de conformitate 1. Manage Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Organizarea conformitatii 2. Contain Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Contine riscuri 3. Respond to Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Raspunde schimbarii 4. State Compliance Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Politica de conformitate a statului 5. Endorse at Top Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Aprobat de management 6. Create Compliance Accountability . . . . . . . . . . . . . . . . . . . . . 14 Crearea responsabilitatii in conformitate
Table of Contents
Nov 01, 2014
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
TABLE OF CONTENTSCUPRINS
I. Here's the Situation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iIata situatia
II. Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiPrefata
III. NCPL Introduction to Corporate CompliancePrinciples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiIntroducerea in conformitate corporativa - Principii
III. Compliance Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Principii conformitate
ESTABLISHING COMPLIANCE PROGRAMSStabilirea programelor de conformitate
1. Manage Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Organizarea conformitatii
2. Contain Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Contine riscuri
3. Respond to Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8Raspunde schimbarii
4. State Compliance Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Politica de conformitate a statului
5. Endorse at Top Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Aprobat de management
6. Create Compliance Accountability . . . . . . . . . . . . . . . . . . . . . 14Crearea responsabilitatii in conformitate
7. Ensure Program Fairness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Asigurarea corectitudinii programului de conformitate
STRUCTURE AND CONTROL8. Maintain High-Level Oversight . . . . . . . . . . . . . . . . . . . . . . . 189. Assign Individual Responsibility . . . . . . . . . . . . . . . . . . . . . . 2010. Delegate Authority Responsibly . . . . . . . . . . . . . . . . . . . . . . 2211. Enforce Internally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2412. Reward Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26COMMUNICATIONS AND TRAINING13. Communicate Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . 2814. Match Training to Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3015. Tailor Training to Audience . . . . . . . . . . . . . . . . . . . . . . . . . 3216. Define Communication Responsibilities . . . . . . . . . . . . . . . . 34RESPONSES TO VIOLATIONS17. Respond Proactively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3618. Gather Compliance Information . . . . . . . . . . . . . . . . . . . . . . 3819. Consider Offense Reporting . . . . . . . . . . . . . . . . . . . . . . . . . 4020. Evaluate Program Effectiveness . . . . . . . . . . . . . . . . . . . . . 42V. Implementation Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44ESTABLISHING COMPLIANCE PROGRAMS1. Manage Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442. Contain Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553. Respond to Change . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
4. State Compliance Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625. Endorse at Top Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 696. Create Compliance Accountability . . . . . . . . . . . . . . . . . . . . . 737. Ensure Program Fairness . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75STRUCTURE AND CONTROL8. Maintain High-Level Oversight . . . . . . . . . . . . . . . . . . . . . . . 799. Assign Individual Responsibility . . . . . . . . . . . . . . . . . . . . . . 9210. Delegate Authority Responsibly . . . . . . . . . . . . . . . . . . . . . . 9711. Enforce Internally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10212. Reward Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113COMMUNICATIONS AND TRAINING13. Communicate Standards . . . . . . . . . . . . . . . . . . . . . . . . . . 11514. Match Training to Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 11815. Tailor Training to Audience . . . . . . . . . . . . . . . . . . . . . . . . 12216. Define Communication Responsibilities . . . . . . . . . . . . . . . 125RESPONSES TO VIOLATIONS17. Respond Proactively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12618. Gather Compliance Information . . . . . . . . . . . . . . . . . . . . . 13119. Consider Offense Reporting . . . . . . . . . . . . . . . . . . . . . . . . 13720. Evaluate Program Effectiveness . . . . . . . . . . . . . . . . . . . . 145VI. AppendicesA. Sample Code of Conduct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148B. Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
HERE'S THE SITUATIONIata cum sta situatia
Internal misconduct raises important threats to companies today. Jail sentences andlarge fines are increasingly common for corporate personnel involved in seriousoffenses. Even corporate managers who were not directly involved in criminal conductmay face jail or fines for offenses committed by persons under their control. Criminal orcivil offenses can produce enormous corporate fines that undercut corporate vitalityand competitiveness. Probation sentences and increased regulatory oversightfollowing an offense can restrict management control over future corporate activities.Abaterile interne ameninta serios companiile de astăzi. Pedepse cu inchisoarea șiamenzi mari sunt tot mai frecvente pentru personalul companiilor implicate în infracțiuni serioase. Chiar și managerii corporațiilor, care nu au fost direct implicati în conduita criminală se pot confrunta cu amenzi sau închisoare pentru infracțiunile comise de persoane sub controlul lor. Infracțiuni penale sau civile pot aduce amenzi corporative enorme, care submineaza vitalitatea și competitivitatea corporativă. Executarea pedepsei in libertate și supraveghere sporită ca urmare a unei infracțiuni poate restricționa controlul de gestiune asupra activității viitoare a companiei.The disruption which accompanies a major investigation of a company by publicofficials can be very costly. Civil damage recoveries in the aftermath of an offense canadd significant further liabilities. And, perhaps most importantly, the reputational losssuffered by a company due to an offense may be difficult or impossible to repair.Carefully planned and implemented compliance programs can reduce these risks bypreventing illegal conduct and mitigating or eliminating punishments and liabilities forthose offenses which still occur. Achieving and maintaining compliance can alsoproduce other positive results. Perturbarea activitatii care însoțește o investigație majoră a unei societăți de către autoritățile publice poate fi foarte costisitoare. Recuperările dupa daune civile în urma unei infracțiuni poate adaugă datorii suplimentare semnificative. Si, poate cel mai important, pierderea din punct de vedere al reputatiei suferita de o companie ca urmare a unei infracțiuni poate fi dificil sau imposibil de reparat. Programe de conformitate atent planificate și puse în aplicare pot reduce aceste riscuri prin prevenirea comportamentului ilegal si atenuarea sau eliminarea pedepselor și datoriilor pentru acele infracțiuni care încă au loc. Realizarea și menținerea conformității poate, de asemenea, sa producă alte rezultate pozitive.These include: increasing consumer and shareholder confidence, reducing the costs of doing business, improving relationships with investment bankers, commercial lenders and the stock and bond brokerage community, boosting management and employee morale, increasing profits, and cutting legal and administrative costs. The problem confronting most businesses now is not whether to adopt a compliance program, but rather how to establish and maintain such a program.Acestea includ: creșterea încrederii consumatorilor si a acționarului, reducerea costurilor de afaceri, îmbunătățirea relațiilor cu bancherii care investesc, creditorii comerciali și comunitatea de actiuni și obligațiuni de brokeraj, creșterea moralului managementului și angajaților, creșterea profiturilor, precum și reducerea costurilor administrative și juridice. Problema cu care se confruntă majoritatea companiilor acum nu este dacă să adopte un program de conformitate, ci mai degrabă cum să stabilească și să mențină un astfel de program.The NCPL's Corporate Compliance Principles provide guidance for designing andimplementing compliance programs. The principles describe the commondenominators of successful compliance programs -- i.e., principles of legal riskreduction which compliance programs must follow to be effective. Beyond theseessential principles, this document offers considerations and examples to aidbusinesses -- large and small -- in constructing their own programs.Our focus is on compliance results and not the particular procedures, tools or
organizational structures a given firm should use to achieve those results. Principiile de conformitate corporativa ofera indrumare pentru proiectarea și punerea în aplicare a programelor de conformitate. Principiile descriu numitorii comuni ai programelor de conformitate de succes - de exemplu, principiile dereducere a riscului juridic de care programele de conformitate trebuie sa tina cont pentru a fi eficiente. Dincolo de acestea principii esențiale, acest document oferă considerații și exemple pentru a ajuta - întreprinderi mari și mici - în construirea propriilor programe.Noi ne focusam pe rezultatele de conformitate și nu pe proceduri particulare, instrumente sau structuri organizatorice pe care o firmă anume ar trebui să le folosească pentru a obține aceste rezultate.These principles will guide managers in selecting the appropriate compliance programfeatures for their own firms. By applying the compliance principles described here andcarefully assessing the associated compliance considerations and examples, corporatemanagers can formulate and operate compliance programs that are both effective anddemonstrably sound.Aceste principii vor ghida managerii în selectarea caracteristicilor de conformitate corespunzătoare pentru firmele lor. Prin aplicarea principiilor de conformitate descrise aici și analizând cu atenție considerațiile și exemplele de conformitate asociate, managerii pot formula și opera programe de conformitate, care sunt atât eficiente, cât și aplicabile.
iiPREFACEPrefata
The Corporate Compliance Principles in this volume constitute design guidelines forcreating corporate compliance programs. A compliance program encompasses the setof operational methods that a company uses to ensure its activities adhere to legalrequirements and broader company values. Designing effective compliance programsis an important corporate concern for two reasons. Principiile Corporate de Conformitate din acest volum constituie liniile directoare pentru crearea unor programe de conformitate a companiilor. Un program de conformitate cuprinde setul metodelor operaționale pe care o companie le foloseste pentru a se asigura ca activitățile sale respectă cerințele juridice și valorile companiei. Proiectarea unor programe eficiente de conformitate este o preocupare importantă pentru două motive.First, public harm and corporate injuries potentially resulting from corporate offenses and deviations from company values justify careful management of offense and misconduct risks. Second, under a number of recently developed legal standards -- most notably the Federal Sentencing Guidelines for Organizations -- firms with generally effective compliance programs can often significantly reduce or eliminate penalties for offenses that occur despite these programs.In primul rând, vatamarile publice sau corporative care rezultă din infracțiuni corporative și abaterile de la valorile companiei justifica o gestionare atentă a riscurilor și a riscurilor de abateri. În al doilea rând, sub un număr de standard juridice recent dezvoltate - mai ales liniile directoare federale de condamnare pentru organizatii - firme cu programe de conformitate eficientein general pot de multe ori reduce sau elimina în mod semnificativ pedepsele pentru infracțiunile care au loc în ciuda acestor programe.To serve these ends, firms must operate -- and be able to demonstrate that theyoperate -- effective compliance programs. What are the features of such programs?While some rudimentary tests are contained in the Sentencing Guidelines and otherlegal standards, these tests provide little concrete direction on how to create effectiveprograms. The enclosed Compliance Principles seek to provide this direction.These Principles are the product of a two year study of compliance practices and
programs. Recognizing the gap in present compliance program standards, in 1994 theNational Center for Preventive Law assembled a Compliance Principles Commissioncomprised of legal and compliance professionals from corporations, law firms,consulting firms, and universities. The goal of the Commission was to create a set ofcompliance program guidelines that could be used to construct and evaluatecompliance programs in organizations of all types and sizes.Pentru a servi aceste scopuri, firmele trebuie să funcționeze - și să fie în măsură să demonstreze că ruleaza - programe eficiente de conformitate. Care sunt caracteristicile unor astfel de programe?În timp ce unele teste rudimentare sunt cuprinse în Ghidul pedepselor și altestandarde legale, aceste teste ofera o directive nu foarte concreta privind modul de a crea programe eficiente. Principiile de conformitate alaturate încearcă să ofere această direcție.Aceste principii sunt produsul unui studiu de doi ani practicilor si programelor de conformitate. Recunoscând decalajul în standardele programelor de conformitate actuale, în 1994 Centrul Național de Drept Preventiv a adunat o Comisie a Principiilor de Conformitate formata din profesioniști din domeniul juridic si al conformitatii din corporații, firme de avocatura, firme de consultanta, și universități.Scopul Comisiei a fost de a crea un set de linii directoare ale programului de conformitate, care ar putea fi utilizate pentru a construi și de a evalua programele de conformitate în organizații de toate tipurile și mărimile.
The resulting Principles include three content levels. The primary content is a set ofcompliance principles that describe essential features of effective complianceprograms. These principles are clarified through a series of considerations to be usedby compliance program designers and evaluators in implementing the principles.Finally, the considerations are supplemented by numerous implementation examplesshowing how each consideration relates to a specific design problem and solution.Principles, considerations, and examples were developed for each of the four majortopics addressed by the Compliance Principles: Establishing Compliance Programs,Structure and Control of Compliance Programs, Communications and Training, andResponses to Violations.Principiile care rezultă includ trei niveluri de conținut. Conținutul principal este un set de principii de conformitate care descriu caracteristicile esențiale ale programelor de conformare eficiente. Aceste principii sunt clarificate printr-o serie de considerații care urmează să fie utilizate de către designeri programului de conformitate și evaluatori în punerea în aplicare a principiilor.În cele din urmă, considerațiile sunt completate de numeroase exemple de punere în aplicare aratand modul în care fiecare considerare se referă la o problemă de design specific și soluție.Principiile, considerațiile si exemplele au fost dezvoltate pentru fiecare dintre cele patru teme majore abordate de către principiile de Conformitate: stabilirea programelor de conformitate, structura și controlul programelor de conformitate, comunicații și formare, precum și răspunsuri la încălcările legii.
Iii
This format reflects the Commission's understanding of the widely-differing complianceneeds, circumstances and capabilities of different organizations. In light of this, theCommission sought not to create minimum program requirements at the level ofprogram operating features, but rather concrete principles and suggestions for thedesign and operation of compliance programs. These principles and suggestionsshould provide valuable guidance to parties concerned about compliance programs,including corporate managers, compliance program specialists, inside and outsidecounsel, and others such as trade organizations who advise companies about
compliance programs. Although our primary focus is on corporate complianceprograms, the compliance principles and suggestions described here will be relevant toother types of organizations, including partnerships, associations, joint-stockcompanies, unions, trusts, pension funds, unincorporated organizations, governmentsand political subdivisions thereof, and non-profit organizations.Acest format reflectă înțelegerea de către Comisie a necesitatilor foarte diferite ale conformitatii, circumstanțele și capacitățile organizațiilor diferite. În acest context, Comisia a cautat să nu creeze cerințele minime de program la nivelul de caracteristici de funcționare ale programului, dar mai degrabă principii concrete și sugestii pentru proiectarea și funcționarea programelor de conformare. Aceste principii și sugestii ar trebui să ofere indicații utile părților interesate cu privire la programele de conformitate, inclusiv manageriilor corporațiilor, specialiștilor in programe de conformitate, în interiorul și în afara consiliului, și altele, cum ar fi organizațiile profesionale care consiliază companiile referitor la programele de conformitate. Deși obiectivul nostru principal este pe programele de conformitate corporativa, principiile de conformitate și sugestiile descrise aici vor fi relevante pentru alte tipuri de organizații, inclusiv parteneriatele, asociațiile, societăți pe acțiuni, sindicate, trusturi, fonduri de pensii, organizații fără personalitate juridică, guvernele și subdiviziunile politice ale acestora, precum și organizații non-profit.The scope and detail of these Principles reflect the diverse backgrounds of theCommission members listed below. While their affiliations attest to the extensivecollective experience of the Commission members, the organizational affiliations ofCommission members are listed below solely for identification purposes and do notindicate the endorsement of these Principles by the listed organizations.Domeniul de aplicare și de detaliu a acestor principii reflectă diverse medii ale membriilor Comisiei enumerate mai jos. În timp ce afilierea lor atestă experiența colectivă vasta a membrilor Comisiei, afilieri organizatorice ale membriilor Comisiei sunt enumerate mai jos numai în scopuri de identificare și nu indică aprobarea acestor principii de către organizațiile listate.Richard S. Gruner, ReporterNCPL Corporate Compliance Principlesiv
NATIONAL CENTER FOR PREVENTIVE LAWINTRODUCTION TO THE CORPORATE COMPLIANCE PRINCIPLESTHE VALUE OF CORPORATE PREVENTIVE LAWCENTRUL NAȚIONAL DE LEGISLTIE PREVENTIVA INTRODUCERE IN PRINCIPIILE DE CONFORMITATE CORPORATIVAVALOAREA DREPTULUI PREVENTIV CORPORATIV
Corporations serve both the public interest and the private interests of their owners,managers and employees when they operate in compliance with the expectations anddictates of the law. The Federal Sentencing Guidelines for Organizations, for example,recognize the public significance of corporate compliance in their metering of criminalpenalties to accord with a corporation's efforts to "prevent and detect" violations. Theoccasions for civil liability that accompany compliance failures in, for just one example,managing the workplace can represent substantial risks to the corporation's economicwelfare -- and, as we are reminded by the American Law Institute's new Principles ofCorporate Governance, risks to management as well.
Corporatiile servesc atât interesul public cat și interesele private ale proprietarilor lor, managerii și angajații atunci când operează în conformitate cu așteptările și prevederile legale. Orientările Federale de condamnare pentru Organizații, de exemplu, recunosc importanța publică a conformității corporative în contorizarea sancțiunilor penale de acordat in functie de eforturile unei corporatii de a "preveni și detecta" încălcări.Ocaziile pentru răspundere civilă, care însoțesc eșecuri în conformitate,doar un exemplu, gestionarea loculului de muncă poate reprezenta riscuri substanțiale privind bunastarea economică a societății - și, așa cum ni se amintește de noile principia de guvernanata corporate ale Institutului American de Drept, riscuri de management de asemenea.Social expectations about corporate behavior abound. Many individual companies andindustry associations have responded, with programs such as the "Defense IndustryInitiative," the Chemical Manufacturers Association's program of "Responsible Care,"and innumerable private codes of ethics and systems for Good ManufacturingPractices. The market too has created incentives for appropriate behavior, with thepopularization of private standards such as ISO 9000 and 14000.Așteptările sociale privind comportamentul corporativ abundă. Multe companii individuale și asociații industriale au răspuns, cu programe cum ar fi “Initiativa Industriei de apărare " , "programul de grija responsabila a Asociatiei Producatorilor de chimicale", și nenumărate coduri private de etică și sisteme pentru bunele practici de fabricatie. Piața de asemenea a creat stimulente pentru un comportament adecvat, cu popularizarea standardelor private, cum ar fi ISO 9000 și 14000.Unlike these private codes, whose enforcement is often voluntary, legal obligationspresent particular hazards and opportunities. Yet violations and compliance failuresare seldom obvious before they happen. When a middle-level executive violates theantitrust laws, or a shop supervisor permits an act of workplace discrimination, therehas almost always been a less visible antecedent. It may have been an artifact of thecorporations' internal culture; or simply the manager's ignorance of what is the rightthing to do. Unlike the defense of violations that have become legal actions, avoidingthe occurrence of future violations calls for preventive techniques. Prevention andlitigation are very different things. Litigation calls on the lawyer to work with the court.Prevention calls on the lawyer and the manager to work with each other.Spre deosebire de aceste coduri private, a căror executare este deseori voluntară, obligații legale prezintă pericole speciale și oportunități. Totusi încălcările și eșecurile de conformitate sunt rareori evidente înainte ca acestea să se întâmple. Atunci când un executiv de nivel mediu încalcă legile, sau un sef de magazin permite un act de discriminare la locul de muncă, acolo a fost aproape întotdeauna un antecedent mai puțin vizibil. Este posibil să fi fost un artefact din cultura interna a corporatiei; sau pur si simplu ignoranta managerului legat de ceea ce este corect de făcut. Spre deosebire de apărarea încălcărilor care au devenit acțiuni legale, evitând apariția de încălcări în viitor solicită tehnici de prevenire. Litigiile invită avocatul pentru a lucra cu instanța.Prevenirea solicită avocatul și managerul sa lucreze unul cu altul.
THE NATIONAL CENTER FOR PREVENTIVE LAWCENTRUL NATIONAL DE DREPT PREVENTIV
The National Center for Preventive Law (NCPL) is uniquely positioned to sponsor theCorporate Compliance Principles. The Center is a not-for-profit organization dedicatedto the development and implementation of Preventive Law in a broad variety of fields,from the present corporate guidelines to law education for high school students and
legal services programs for the low- and middle-income elderly. The common themesin all of the Center's activities are simply that unnecessary legal risks and disruptionare contrary to both the public and the private interests; and that they may most oftenbe avoided.Centrul Național de Drept Preventiv (NCPL) este in mod unic orientat pentru a sponsoriza Principile de Conformitate Corporativa.Centrul este o organizație non-profit dedicata dezvoltarii și implementarii Legii Preventive într-o varietate largă de domenii, din prezentele orientări corporative pana la educatia juridical pentru elevii de liceu și programe de servicii juridice pentru persoanele în vârstă cu venituri medii si mici. Temele comune în toate activitățile Centrului sunt pur și simplu că riscurile juridice inutile și dezorganizarea sunt contrare atât intereselor publice cat și private și că acestea pot fi cel mai adesea evitate.The Center began its series of national corporate preventive law seminars in 1986,emphasizing even at that relatively early date the advantages of a systematic approachto compliance. Many corporations were interested and active in compliance then, butfor many more the subject was underscored by the promulgation, in 1991, of theFederal Sentencing Guidelines for Organizations, which offer substantial benefits tocompanies who have exercised due diligence to incorporate compliance systems intotheir management. The Center focused its corporate seminars on the federalguidelines in 1991 and for a few years following. Many hundreds of companiesparticipated in those seminars through their general counsel. Many others benefittedfrom the participation of members of private law firms. It was from NCPL's experiencewith those seminars that these Principles grew.Centrul a început seria de seminarii naționale de drept corporativ preventiv în 1986,subliniind chiar la acea dată relativ devreme avantajele unei abordări sistematice aconformitatii. Multe corporații au fost interesate și active în conformitate atunci, darpentru mult mai mulți subiectul a fost subliniat de promulgarea, în 1991, a Orientările condamnarii federale pentru Organizatii, care oferă beneficii substanțiale companiilor care și-au exercitat investigatii pentru a include sisteme de conformitate în gestionarea lor.Centrul si-a concentrat seminariile sale corporative pe indrumarile federale in 1991 și timp de câțiva ani după. Multe sute de companii au participat la aceste seminarii prin intermediul prin consilierii generali. Mulți alții au beneficiat de la participarea membrilor de firme de drept privat. De la experiența lui NCPL cu aceste seminarii aceste principii au crescut.
THE NCPL CORPORATE COMPLIANCE PROJECT
Corporate compliance is not achieved by assembling lists of Thou Shalts and ThouShalt Nots. The federal sentencing guidelines themselves are not a collection of crisprequisites, but rather a set of broad standards that define in an open-textured and nondirective way what counts as due diligence in the implementation of a system to"prevent and detect violations of the law." The most appropriate inquiry for management and legal counsel is therefore not "What do we have to do?" but rather "What works?" Conformitatea corporativă nu se realizează prin asamblarea listelor lui Thou Shalts și Thou Shalt Nots. Orientările condamnarii federale în sine nu sunt o colecție de clare rechizite, ci mai degrabă un set de standarde generale care definesc într-un mod deschis și textură nondirective ceea ce contează ca due diligence în punerea în aplicare a unui sistem de “preveni și detecta încălcări ale legii."Anchetă cel mai potrivit pentru sfat de management și juridice nu este, prin urmare, "Ce trebuie să facem?" ci mai degrabă "Ce funcționează?"
The NCPL's Compliance Principles are in that very important sense not a code or a standard, but an exchange of information and experience among companies and people working in the field.
Principiile NCPL de conformitate sunt în acest sens foarte importante nu un cod sau un standard, ci un schimb de informații și experiență între companiile și persoanele care lucrează în domeniu.
The format is in three parts:Formatul este alcatuit din trei parti:
Principles of compliance, 20 in number, that state the major elements of successful compliance programs.Principii de conformitate, 20 la număr, care enunta elementele majore ale programelor de conformitate de succes.Considerations associated with each of the Principles, comprising questions andoptions to be thought about as each Principle is put into effect.Examples explaining the Considerations in further detail and offering a selection of concrete descriptions of how some companies have put each of the major Principles into place.Considerații asociate cu fiecare dintre Principii, cuprinzând întrebări și opțiuni pentru a fi gândit ca fiecare Principiul este pus în aplicare. Exemple explicănd în detaliu considerațiile suplimentare și oferă o selecție de descrieri concrete ale modului în care unele companii au pus fiecare dintre principiile majore în loc.The product is not meant to establish standards or minimums or even "best practices."A Consideration is just that -- a policy or activity which a corporation should consider,and decide to act on or not as its own circumstances require. The Examples describejust some of the innumerable ways in which the Considerations may be put into action.Produsul nu este destinat pentru a stabili standardele sau valorile minime sau chiar "cele mai bune practici.". O considerare este doar că - o politică sau o activitate care ar trebui să fie luata în considerare de o corporatie, și decide să acționeze pe seama ei sau nu in functie de cum împrejurările proprii impun. Exemple descriu doar câteva dintre modalitățile nenumărate în care Considerațiile pot fi puse în acțiune.Nothing in them should be taken to reduce the flexibility each corporation must have toaddress its own needs and potential for legal compliance. The Principles too areprescriptive only in the special sense that they, taken together, describe the essentialfeatures of corporate compliance programs.Nimic din acestea ar trebui să fie luate in calcul pentru a reduce flexibilitatea pe care fiecare societate trebuie să o aibă pentru a răspunde nevoilor sale și potențialului propriu pentru respectarea legislației. Principiile sunt de asemenea prescriptive numai în sensul special pe care acestea, luate împreună, descriu caracteristicile esentiale ale programelor de conformitate corporative.The scope of the work is intentionally smaller than the entire universe of corporatepreventive law. The Commission had before it as it developed its text the FederalSentencing Guidelines for Organizations, the ALI Standards of Corporate Governance,and related regulatory programs such as those of the U.S. Department of Justice, theSEC and the EPA. Domeniul de aplicare al muncii este mai mică decât în mod intenționat întregul univers al companiei preventivă lege.Comisia a avut-o înainte ca ea a dezvoltat textul FederalăInstructiuni de pedepsire pentru organizații, cu standardele de guvernanță corporativă ALI, și programele legate de reglementare, cum ar fi cele ale Departamentului de Justiție al SUA, SEC și APE.The particulars of those most immediately significant codes will appear to dominate this text. The value of the text, however, may be far broader.NCPL believes that the principles of legal compliance for civil liability are not verydifferent from those that help prevent regulatory violations or criminal behavior. Thus,the techniques of prevention, detection and response may make as effective a
contribution in avoiding, for example, civil liability from sexual harassment in theworkplace, as they are in preventing violations of statutory or regulatory positive law.
THE NCPL CORPORATE COMPLIANCE PRINCIPLES COMMISSION
The majority of the effort that produced this work came from the individual members ofthe Corporate Compliance Principles Commission, operating in four subcommitteeschaired by Kirk Jordan, Joseph Murphy, John Voorhees and co-chairs Philip Sellingerand Herbert Zinn. Richard Gruner chaired the Drafting Committee and undertookoverall responsibility for the project during its crucial second and final year. The NCPLis very grateful to these committee chairs, to each member of the Commission, and tothe many corporations and firms who supported these individuals' participation. Manyothers, too numerous to name, assisted with their comments and criticisms and advice.Thanks go, too, to two corporations without whose financial support the project couldnot have been accomplished -- the Coors Brewing Company and U.S. West, Inc.Although each member of the Commission is affiliated with some firm or corporation, inan old and fine tradition of the bar each was willing to "check his client at the door"while the work and the debates went on. The product is a blend of their efforts. Noformal votes were ever taken; no dissents were recorded. Thus, by subscribing to thedraft, no member of the group does so on behalf of his or her company or clients; andnone, we suspect, agrees with every line.The members of the Commission and the Trustees and officers of the National Centerfor Preventive Law sincerely hope their product will be useful.Edward A. DauerSeptember 9, 1996
COMPLIANCE PRINCIPLES
INTRODUCTION
.This section describes principles for constructing effective compliance programs. Aceasta sectiune descrie reguli pentru o constructie mai eficienta a programelor de conformitate .Thesection begins with a one page summary of those principles.Capitolul incepe cu un sumar de o pagina a acestor reguli. In the remainder of the section, eachof the principles is described in more detail along with related considerations that firms may wish toaddress in applying the principles. For easy comparison, each principle is described on a particularpage with its related considerations laid out on a facing page. This format both defines the majorissues in designing compliance programs (corresponding to the principles) and establishes checklistsof means to address those issues (in the considerations).Section V of this volume (beginning on page 44) contains implementation examplesdescribing concrete steps companies can use to implement the compliance principles describedhere.Adherence to the compliance principles described here will help companies establish and
operate effective compliance programs. By effective compliance programs, we mean businesspractices that are generally successful in ensuring compliance with legal standards and companyvalues. However, such programs have limitations which should not be forgotten in applying thecompliance principles articulated here. First, compliance programs, no matter how comprehensiveand well-run, cannot prevent or correct every violation of law or company values. Second,compliance programs may initially uncover more violations than were previously detected, thuscreating a short-term artifact of apparent poor compliance. Third, given rapid shifts in legalstandards and corporate operations, corporate managers may fail to predict new legal issues andadopt compliance program elements for resolving these issues. Fourth, even the best designedcompliance programs will have little impact if they are not supported by persons at all levels ofcompany hierarchies.
NCPL CORPORATE COMPLIANCE PRINCIPLES2
Despite these limitations, the case for using compliance programs to further the long-terminterests of companies is compelling. Expectations about corporate compliance efforts --expectations on the part of prosecutors, regulators, sentencing courts, shareholders, customers, andthe public at large -- are rising. Compliance programs are the means to meet these expectationseffectively and efficiently. Such programs are mechanisms for detecting and resolving complianceproblems through established managerial methods.The compliance principles presented here identify many good managerial practices forensuring compliance. By using these principles as suggestions for their own compliance programdesigns, corporate managers should be well on the way to operating effective compliance programsthat realize substantial corporate benefits.
NCPL CORPORATE COMPLIANCE PRINCIPLES3
COMPLIANCE PRINCIPLES
ESTABLISHING COMPLIANCE PROGRAMSManage ComplianceContain RisksRespond to ChangeState Compliance PolicyEndorse at Top LevelsCreate Compliance AccountabilityEnsure Program FairnessSTRUCTURE AND CONTROLMaintain High-Level OversightAssign Individual ResponsibilityDelegate Authority ResponsiblyEnforce InternallyReward SuccessCOMMUNICATIONS AND TRAININGCommunicate StandardsMatch Training to TasksTailor Training to AudienceDefine Communication ResponsibilitiesRESPONSES TO VIOLATIONSRespond ProactivelyGather Compliance InformationConsider Offense ReportingEvaluate Program Effectiveness
NCPL CORPORATE COMPLIANCE PRINCIPLES4ESTABLISHING COMPLIANCE PROGRAMSPrinciple 1: Manage ComplianceOrganizations should pursue compliance through the creation and maintenance of an effectivecompliance program.Implementation Examples: Pages 44-54NCPL CORPORATE COMPLIANCE PRINCIPLES5Principle 1: Manage ComplianceFactors to Consider:(a) Creating a program that reflects, incorporates and is integrated with theorganization's culture, ethos and corporate objectives.(b) Designing a program that is tailored and fine-tuned with specific regard to the size,form, complexity and history of the organization.(c) Reviewing program needs based upon an organization's history of violations (if any),the risks of future violations inherent in the operations of the organization, industrystandards and regulatory regimes, federal sentencing commission standards,management standards regarding essential components of compliance systems, andempirical studies of the effectiveness of compliance practices.
(d) Directing organization members toward compliance through compliance codes,operating standards, codes of ethics, and other corporate policy and philosophystatements.(e) Setting forth program definitions and operating practices in writing anddisseminating program descriptions through manuals and other appropriate media.(f) Documenting specific steps taken in the implementation and operation of acompliance program.(g) Including systematic record making and document retention practices inorganizational operations that will aid in monitoring organizational compliance andin demonstrating the completion of compliance procedures.NCPL CORPORATE COMPLIANCE PRINCIPLES6ESTABLISHING COMPLIANCE PROGRAMSPrinciple 2: Contain RisksAn effective compliance program is designed to prevent, detect and respond to legal risks and topromote compliance with the law.Implementation Examples: Pages 55-58NCPL CORPORATE COMPLIANCE PRINCIPLES7Principle 2: Contain RisksFactors to Consider:(a) Identifying liability-causing conduct based on industry or organizational experience,as well as the occasions for such conduct.(b) Identifying non-obvious and incipient misconduct that tends to promote illegalactions.(c) Structuring compliance practices to be effective, while still enhancing anorganization's business, assets and goodwill and preserving its legal privileges andrights.NCPL CORPORATE COMPLIANCE PRINCIPLES8ESTABLISHING COMPLIANCE PROGRAMSPrinciple 3: Respond to ChangeAn effective compliance program is a dynamic process that is designed to be flexible and modified,when appropriate, to reflect changing conditions.Implementation Examples: Pages 59-61NCPL CORPORATE COMPLIANCE PRINCIPLES9Principle 3: Respond to ChangeFactors to Consider:(a) Addressing the differing compliance problems and needs of dissimilar operatingunits.(b) Providing for continuous operation of a compliance program and incorporating itinto the daily activities of the organization.(c) Including mechanisms within a compliance program that promote program changesin response to new business activities or other organizational changes.(d) Recognizing that organization members or other firms may develop new methods
to achieve compliance and providing mechanisms for identifying and evaluatingthose new methods.NCPL CORPORATE COMPLIANCE PRINCIPLES10ESTABLISHING COMPLIANCE PROGRAMSPrinciple 4: State Compliance PolicyAn effective compliance program states that it is the organization's policy to comply with allapplicable laws.Implementation Examples: Pages 62-68NCPL CORPORATE COMPLIANCE PRINCIPLES11Principle 4: State Compliance PolicyFactors to Consider:(a) Evaluating alternative methods that the organization can use to effectively state itspolicies regarding compliance.(b) Stating the organization's compliance goals and methods for achieving those goals ina clear and straightforward manner.(c) Making descriptions of compliance policies and practices readily available to allpersonnel who are subject to them.(d) Stating, wherever appropriate, that certain areas of law are interrelated such thatviolations in one area of law may result in legal obligations in a separate area.NCPL CORPORATE COMPLIANCE PRINCIPLES12ESTABLISHING COMPLIANCE PROGRAMSPrinciple 5: Endorse at Top LevelsThe highest governing authority within an organization should endorse the organization'scompliance program.Implementation Examples: Pages 69-72NCPL CORPORATE COMPLIANCE PRINCIPLES13Principle 5: Endorse at Top LevelsFactors to Consider:(a) Choosing carefully the mode or modes by which a governing body or individualendorses the organization's compliance policies and compliance program.(b) Providing for continuing, active participation of the organization's senior executivesin promoting and overseeing a compliance program.NCPL CORPORATE COMPLIANCE PRINCIPLES14ESTABLISHING COMPLIANCE PROGRAMSPrinciple 6: Create Compliance AccountabilityAn effective compliance program establishes accountability for compliance throughout theorganization.Implementation Examples: Pages 73-75NCPL CORPORATE COMPLIANCE PRINCIPLES
15Principle 6: Create Compliance AccountabilityFactors to Consider:(a) Establishing mechanisms that hold all organizational directors, officers, employeesand agents accountable for compliance in the course of activities that they initiate oroversee.(b) Designing a program with input from knowledgeable individuals about likely gaps incompliance accountability.NCPL CORPORATE COMPLIANCE PRINCIPLES16ESTABLISHING COMPLIANCE PROGRAMSPrinciple 7: Ensure Program FairnessAn effective compliance program is designed to operate fairly and equitably.Implementation Examples: Pages 75-79NCPL CORPORATE COMPLIANCE PRINCIPLES17Principle 7: Ensure Program FairnessFactors to Consider:(a) Incorporating practices in a compliance program that treat all employees fairly andconsistently.(b) Providing mechanisms that guard against retaliation for raising compliance issues.NCPL CORPORATE COMPLIANCE PRINCIPLES18STRUCTURE AND CONTROLPrinciple 8: Maintain High-Level OversightSpecific high-level personnel in an organization are responsible for the administration and oversightof the compliance program.Implementation Examples: Pages 79-91NCPL CORPORATE COMPLIANCE PRINCIPLES19Principle 8: Maintain High-Level OversightFactors to Consider:(a) Having an organizational compliance officer take "ownership" of the compliancefunction in the sense of having overall responsibility for initiating, coordinating andreviewing organizational compliance efforts.(b) Considering whether the designation of one person with primary responsibility formanagement of compliance practices will lead others in the organization to concludethat compliance is only the compliance officer's job.(c) Insuring that the top organizational executive with responsibility for a complianceprogram has the degree of clout necessary to make the program effective.(d) Determining the compliance officer's proper level of authority and access to theorganization's governance authorities in order to ensure both that the officer is ableto exert effective control over compliance-related matters and that compliancemanagement is perceived as an important activity by other organization members.(e) Selecting a compliance officer with personal characteristics that will make the
individual effective in leading and promoting organizational compliance efforts.(f) Determining what functions, if any, the compliance officer should perform besidesmanagement and oversight of compliance activities.(g) Making sure that a compliance officer has or can draw upon the types of expertisethat are necessary to operate the compliance program effectively.(h) Identifying resources, support and infrastructure needed by the compliance officerand others to pursue compliance effectively.NCPL CORPORATE COMPLIANCE PRINCIPLES20STRUCTURE AND CONTROLPrinciple 9: Assign Individual ResponsibilityA compliance program has the support of senior management of the organization. Each officer,manager and employee is responsible for supporting and complying with the compliance program'sstandards and procedures.Implementation Examples: Pages 92-97NCPL CORPORATE COMPLIANCE PRINCIPLES21Principle 9: Assign Individual ResponsibilityFactors to Consider:(a) Having participation in and support for the program throughout the organizationand not limited to the compliance officer.(b) Considering the consistency of the incentive, appraisal and recognition systems usedwithin the organization with the idea that compliance is a widespread responsibility.(c) Examining the variety of ways senior management can send the message that itconsiders a specific compliance behavior or objective to be high priority.(d) Determining the degree to which the monitoring of subordinates’ compliance orethical practices is part of day-to-day management.(e) Determining the compliance roles of organizational agents and further participantsin the organization's business activities other than employees.(f) Examining the express and implied messages that managers give to employees aboutmeeting the organization's compliance goals.NCPL CORPORATE COMPLIANCE PRINCIPLES22STRUCTURE AND CONTROLPrinciple 10: Delegate Authority ResponsiblyThe organization exercises due diligence to prevent the delegation of substantial discretionaryauthority to persons having a propensity to engage in illegal activities.Implementation Examples: Pages 97-102NCPL CORPORATE COMPLIANCE PRINCIPLES23Principle 10: Delegate Authority ResponsiblyFactors to Consider:(a) Exercising caution in employing anyone who is under indictment, convicted, or
listed as debarred, suspended or otherwise ineligible for federal programs, exceptwhere such employment is approved by a senior executive and the reasons for theemployment are recorded in writing.(b) Carrying out this policy through reasonable inquiries into the status of any potentialemployee or consultant.(c) Suspending indicted employees or consultants from involvement in companyactivities until their cases are resolved.(d) Suspending employees or consultants who are involved in debarment proceedingsfrom further company activities until the debarments are resolved.(e) Discharging any employee who is convicted or debarred based on job-relatedconduct.(f) Exercising care in hiring processes to investigate and consider evidence of pastmisconduct that is relevant to the position being sought.(g) Exercising care in promotions and internal transfers to consider an individualemployees' past job performance and internal reputation concerning complianceand the employee's adherence to the organization's compliance program.(h) Identifying positions that may provide opportunities for violations or act asbreeding grounds for violations and more carefully screening candidates for thosepositions with respect to compliance backgrounds and support.(i) Addressing the risk of discriminatory personnel practices and invasions of privacywhen the propensity of individuals to engage in illegal actions is considered inmaking personnel decisions.NCPL CORPORATE COMPLIANCE PRINCIPLES24STRUCTURE AND CONTROLPrinciple 11: Enforce InternallyThe organization takes reasonable steps to achieve compliance with its standards and the law.Implementation Examples: Pages 102-113NCPL CORPORATE COMPLIANCE PRINCIPLES25Principle 11: Enforce InternallyFactors to Consider:(a) Using evaluative and reporting systems to determine the effectiveness of complianceefforts and to deter and detect violations.(b) Reviewing and auditing employee conduct and corporate operations to providemeasures of how the company is doing in its efforts to comply with the law and itsown standards.(c) Using different compliance review methods for different purposes and in differentbusiness environments.(d) Pursuing self-monitoring and regular reporting in key aspects of businessperformance related to compliance.(e) Using evaluative techniques to measure both the degree of substantive compliance,and how well the compliance processes are being implemented.(f) Evaluating the desirable frequency and scope of such reviews.(g) Assessing the independence and reliability of persons who perform complianceevaluations.
(h) Determining whether compliance reviews should be done by persons inside oroutside an organization or organizational unit.(I) Devising channels of communication between those who are performingcompliance studies or audits and those who need the results to act on the findings.(j) Establishing systems to assure follow-ups to negative investigation or audit findings.(k) Using real-time monitoring of conduct as a technique to achieve compliance.(l) Having a means for employees and agents to report violations of the standards.(m) Providing protection against retaliation for those who report misconduct.(n) Taking steps to assure that employees and agents know how to reach systems forreporting offenses and other misconduct.(o) Including compliance issues in due diligence studies preceding mergers andacquisitions and in planning for new business activities.NCPL CORPORATE COMPLIANCE PRINCIPLES26(p) Determining the degree of confidentiality and legal privilege protection that areappropriate for self-evaluative compliance activities.STRUCTURE AND CONTROLPrinciple 12: Reward SuccessIncentives and disincentives are significant tools in promoting compliance.Implementation Examples: Pages 113-114NCPL CORPORATE COMPLIANCE PRINCIPLES27Principle 12: Reward SuccessFactors to Consider:(a) Identifying policies and practices that will link favorable employment treatment,including increased compensation and advancement, to individuals' furtherance oforganizational compliance.(b) Informing persons throughout an organization that the organization's policy is toallocate incentives and disincentives (including compensation rewards and discipline)in accordance with individuals' pursuit of compliance.(c) Communicating the views of organization leaders that incentives and disincentivesprovided for compliance performance are appropriate.(d) Insuring that rewards and discipline are applied in accordance with relative levels ofcompliance effort.NCPL CORPORATE COMPLIANCE PRINCIPLES28COMMUNICATION AND TRAININGPrinciple 13: Communicate StandardsThe organization's compliance program has a communications component, the objectives of whichare to make employees and other agents aware of applicable standards of conduct and to promotecompliance.Implementation Examples: Pages 115-118NCPL CORPORATE COMPLIANCE PRINCIPLES29Principle 13: Communicate StandardsFactors to Consider:
(a) Separately developing the communications component of the organization'scompliance program.(b) Identifying the appropriate organizational personnel to include in the design andimplementation of the communications program.(c) Specifying the instructional activities that should be included in the communicationscomponent of the organization's compliance program.(d) Structuring the communications program to provide feedback and evaluativeinformation.(e) Documenting the steps taken in, and the results of, the organization'scommunications program.NCPL CORPORATE COMPLIANCE PRINCIPLES30COMMUNICATIONS AND TRAININGPrinciple 14: Match Training to TasksAn effective compliance program communicates appropriate compliance information andmotivation to the organization's employees and other agents.Implementation Examples: Pages 118-122NCPL CORPORATE COMPLIANCE PRINCIPLES31Principle 14: Match Training to TasksFactors to Consider(a) Providing information and skills needed to deal with the compliance issues and risksthat each employee may encounter.(b) Describing to affected employees and agents an organization's internal processes forcompliance.(c) Describing to employees and other agents the legal requirements and companyvalues that govern organizational activities and the behaviors that are necessary tomeet applicable legal requirements, corporate conduct codes, and ethical standards.(d) Convincing employees and other agents of the need for compliance with legalrequirements, conduct codes, and ethical standards.NCPL CORPORATE COMPLIANCE PRINCIPLES32COMMUNICATIONS AND TRAININGPrinciple 15: Tailor Training to AudienceAn effective communications program is designed to reach the intended audience.Implementation Examples: Pages 122-124NCPL CORPORATE COMPLIANCE PRINCIPLES33Principle 15: Tailor Training to AudienceFactors to Consider:(a) Ensuring that a compliance communications program is understandable, accessibleand practical.(b) Evaluating the effectiveness of various communications techniques and methods.(c) Considering the occasions on which to administer the communications program.NCPL CORPORATE COMPLIANCE PRINCIPLES
34COMMUNICATIONS AND TRAININGPrinciple 16: Define Communication ResponsibilitiesAll levels of management are responsible for the operation of an organization's compliancecommunications program.Implementation Examples: Pages 125-126NCPL CORPORATE COMPLIANCE PRINCIPLES35Principle 16: Define Communication ResponsibilitiesFactors to Consider:(a) Determining the role of senior management in an organization's compliancecommunications program.(b) Determining the role of a compliance officer and further compliance staff membersin an organization's compliance communications program.(c) Determining the roles of supervisors and middle level managers in an organization'scompliance communications program.(d) Integrating a compliance communications program with other communicationsprograms and organizational operations.NCPL CORPORATE COMPLIANCE PRINCIPLES36RESPONSES TO VIOLATIONSPrinciple 17: Respond ProactivelyAn effective compliance program is proactive in its approach to dealing with incidents ofnoncompliance.Implementation Examples: Pages 126-131NCPL CORPORATE COMPLIANCE PRINCIPLES37Principle 17: Respond ProactivelyFactors to Consider:(a) Measuring proactivity in terms of promptness and decisiveness.(b) Responding to indicators of problems.(c) Keeping abreast of regulatory changes and industry experience.(d) Identifying and responding to actual or suspected violations.(e) Developing special procedures for gathering evidence of misconduct by personnelwith substantial discretionary authority.NCPL CORPORATE COMPLIANCE PRINCIPLES38RESPONSES TO VIOLATIONSPrinciple 18: Gather Compliance InformationAn effective compliance program possesses or has access to investigatory, evaluative and reportingresources and utilizes those resources to monitor compliance.Implementation Examples: Pages 131-137NCPL CORPORATE COMPLIANCE PRINCIPLES39Principle 18: Gather Compliance Information
Factors to Consider:(a) Determining who will conduct compliance investigations in advance of occasionsfor such investigations.(b) Assuring that compliance investigations are undertaken by persons with adequateexpertise to identify breaches of legal requirements and compliance programstandards.(c) Making certain that further investigations and responses are undertaken followingthe detection of possible misconduct.(d) Assuring the adequacy of resources available to investigators.(e) Insuring the independence of compliance investigators from line managers whoseactivities or organizations are being scrutinized.(f) Developing record-keeping capabilities and resources to aid in identifyingcompliance problems and in monitoring responses.(g) Assuring preparedness for compliance investigations and responses.(h) Assuring appropriate scope and methodologies in the completion of complianceinvestigations and responses.(i) Defining reporting systems within a company that will provide indications thatcompliance investigations are needed.(j) Assuring accuracy and reliability of information gathered in complianceinvestigations.(k) Conducting investigations in a manner that is likely to preserve the attorney-clientand work product privileges.NCPL CORPORATE COMPLIANCE PRINCIPLES40RESPONSES TO VIOLATIONSPrinciple 19: Consider Offense ReportingAn effective compliance program addresses the occasions for external reporting of violations of thelaw.Implementation Examples: Pages 137-144NCPL CORPORATE COMPLIANCE PRINCIPLES41Principle 19: Consider Offense ReportingFactors to Consider:(a) Assuring that self-reporting by an organization will comply with mandatoryreporting requirements.(b) Weighing the advantages of voluntary self-reporting of misconduct under FederalSentencing Guidelines for Organizations, government voluntary disclosure programsand other legal standards.(c) Designating decision-making responsibility and authority for determining when andhow to self-report detected misconduct.(d) Determining the appropriate scope of disclosures when a decision is made to selfreportdetected misconduct.(e) Addressing potential conflicts between an organization and its agents or employeeswhere the organization chooses to report detected misconduct.(f) Waiving or preserving legal privileges in the course of disclosing information topublic officials.
(g) Considering whether self-reporting will be accompanied by an organizationalacceptance of responsibility for disclosed violations.(h) Deciding whether to cooperate with external investigations by public authorities.(I) Remediating harm from detected misconduct.(j) Identifying the scope and ramifications of an organization's vicarious responsibilityfor detected misconduct.NCPL CORPORATE COMPLIANCE PRINCIPLES42RESPONSES TO VIOLATIONSPrinciple 20: Evaluate Program EffectivenessAn effective compliance program utilizes incidents of --noncompliance to evaluate its owneffectiveness, to correct deficiencies and to effect improvements.Implementation Examples: Pages 145-147NCPL CORPORATE COMPLIANCE PRINCIPLES43Principle 20: Evaluate Program EffectivenessFactors to Consider:(a) Disciplining and retraining responsible employees.(b) Identifying root causes of misconduct, including weaknesses in detection practices.(c) Using external reviewers to evaluate incidents of misconduct and related complianceprogram weaknesses.(d) Assuring prompt and effective follow-up measures.44
IMPLEMENTATION EXAMPLES
INTRODUCTION
This section contains comments and implementation examples illustrating a number ofpotentially useful compliance program elements and design approaches. Collectively,these materials suggest means to relate the general compliance principles andconsiderations described in the first part of this volume to concrete compliance programdesign choices. These comments and examples by no means exhaust the availableoptions and the compliance methods described here may not be essential for the operationof an effective compliance program in a given organization. Hence, these comments andexamples are offered only as suggestions of useful compliance techniques and not asmandatory standards. Compliance program personnel may find these techniques useful foradoption in the forms described here, as the basis for slightly modified techniques moreappropriate to their particular organizations, or as the inspiration for analogous techniquesaimed at addressing the same compliance issues and risks.Această secțiune conține comentarii și exemple de punere în aplicare ilustrand un număr de elemente potențial utile programului de conformitate și abordări de proiectare. In comun, aceste materiale sugerează mijloace de a unii principiile generale de conformitate și considerațiile descrise în prima parte a acestui volum a solidifica alegerile de conceptie ale programului de conformitate. Aceste comentarii si exemple in nici un fel nu epuizeaza optiunile disponibile și metodele de conformitate descrise aici nu poat fi esențiale pentru funcționarea unui program de conformitatea eficient într-o organizație dată. Prin urmare, aceste observații și exemple
sunt oferite doar ca sugestii ale tehnicilor de conformitate utile, și nu ca standarde obligatorii. Personalul programului de conformitate poate găsi aceste tehnici utile pentru a le prelua în formele descrise aici, ca bază pentru tehnici ușor modificate mai potrivite pentru organizațiile lor particulare, sau ca sursă de inspirație pentru tehnici similare ce vizează abordarea aceleași probleme de conformitate și riscuri.
ESTABLISHING COMPLIANCE PROGRAMSStabilirea programelor de conformitate
PRINCIPLE 1: MANAGE COMPLIANCEPrincipiul 1: Gestionare Conformitatii
Organizations should pursue compliance through the creation and maintenance of an effective compliance program.Factors to Consider:(a) Creating a program that reflects, incorporates and is integrated with theorganization's culture, value system and corporate objectives.Organizațiile ar trebui să urmărească conformitatea, prin crearea și menținerea unui program de conformitate eficient.. Factori de luat în considerare: (a) Crearea unui program care să reflecte, încorporează și este integrat cu cultura organizației, sistemul de valori și obiectivele corporative.
Comments:Comentarii:
1. A compliance program should typically reflect the attitudes of anorganization's members. In larger organizations, it may be necessary tosolicit the views of a representative sample of employees.Example a: One large corporation requested that representatives ofeach major business unit provide their own description of theorganization's culture as a prelude to the formulation of the company'scompliance program.1. Un program de conformitate ar trebui să reflecte de obicei, atitudineamembrilor organizației. În organizațiile mai mari, ar putea fi necesar să sesolicite punctele de vedere ale unui eșantion reprezentativ de angajați.Exemplul a: O mare corporație a solicitat ca reprezentanțiifiecărei unități de afaceri majore sa furnizeze o descriere proprieculturii organizației ca un cuvant inainte la elaborarea programuluiconformitate al companiei.2. A successful compliance program will often be integrated into thedaily business of a company. To that end, compliance requirements can beestablished as a matter of company policy. This can be undertaken in a waythat will make compliance a part of the company's value system. Programs insupport of the company policy can be established and where appropriate,goals and objectives that support the policy can be developed andaccountability for performance established.2. Un program de conformitate de succes va fi deseori integrat în
activitatea de zi cu zi a unei companii. În acest scop, cerințele de conformitate pot fi stabilite ca o chestiune de politica companiei. Acest lucru poate fi realizat într-un mod care va face din conformitate parte a sistemului de valori al companiei.. Programe în sprijinul politicii companiei pot fi stabilite și acolo unde este cazul, scopurile și obiectivele care sprijină politica pot fi dezvoltate și responsabilitatea pentru performanță stabilita.3. The values of an organization can be reflected in its complianceprogram. To do so, a firm may wish to translate its values into specificperformance goals.Example b: One organization set a goal of no significantenvironmental deficiencies and held operating managementaccountable for reaching this objective.3. Valorile unei organizații pot fi reflectate în programul sau de conformitate. Pentru a face acest lucru, o întreprindere ar putea dori să traducă valorile sale în Teluri de performanță specifice. Exemplu b: O organizație a stabilit un obiectiv fara deficient de mediu majore și a facut raspunzator de atingerea acestui obiectiv conducerea operationala.4. To ensure understanding of the relationship between companyculture and compliance activities, firms may publish materials explaining thisrelationship. These materials will be most useful if they match the currentcompliance concerns of the firms involved.Example c: One organization that had published its statement ofculture and values several years before instituted a practice ofregularly refining the statement to accommodate changes in theorganization.4. Pentru a asigura înțelegerea relației dintre cultura societatii și activitatile de conformitate, firmele pot publica materiale care explică această relație. Aceste materiale vor foarte utile dacă se potrivesc cu preocupările actuale de conformitate ale firmelor implicate. Exemplu c: O organizație care a publicat declarația sa de cultura si valori cu mai multi ani inainte de a instituit o practică de purificare în mod regulat a declaratiei pentru a se adapta la schimbări în organizație.5. A compliance program will often be most effective if it is groundedin the sponsoring organization's culture. In a decentralized organization, itmay be desirable for the organization to identify the unique cultural features ofeach unit which has operational authority.Example d: In one decentralized conglomerate's program, subsidiary presidents had authority to tailor their particular program to the distinctcharacter of their operating units.5. Un program de conformitate va fi de multe ori mai eficient în cazul în care se bazează pe cultura organizației. Într-o organizație descentralizată, este de dorit ca organizația să identifice caracteristicile unice culturale ale fiecărei unități care are autoritate operațională.Exemplu D: În program unui conglomerat descentralizat,președinții filialelor au avut autoritatea de a adapta programul lor particular la caracterul distinct al unităților lor de operare.6. Organizational objectives can often usefully be evaluated forconsistency with a compliance program's overall direction. Where corporateobjectives are at odds with compliance program characteristics, the corporateobjectives and the compliance program should usually be reconsidered andrevised so as to achieve consistency.Example e: In one conglomerate, senior management made a total reevaluation of its short- and long-term objectives in light of its new compliance program. Those objectives found to be inconsistent with the company's compliance program were closely reexamined in aneffort to identify the source of the inherent conflicts. The conflicts identified were resolved so that all the objectives could be pursued without fear of intervention by governmental authorities.
Obiectivele organizaționale poate fi adesea util evaluate pentru compatibilitate cu un program de conformitate de ansamblu. În cazul în care obiectivele corporative sunt în contradicție cu caracteristicile programului de conformitate, obiectivele corporative si programul de conformitate ar trebui să fie, de obicei, reexaminate și revizuite, astfel încât să se realizeze consecvența.Exemplu e: Într-un conglomerat, managementul a făcut o reevaluare totala a obiectivelor sale pe termen scurt și pe termen lung în lumina noului sau program de conformitate. Aceste obiective au dovedit a fi incompatibile cu al companiei companiei de conformitate au fost strâns reexaminat într-un efortul de a identifica sursa de conflicte inerente conflictelor identificate au fost rezolvate, astfel încât toate obiectivele pot fi urmărite fără teama de intervenție de către autoritățile guvernamentale.7. For a compliance program to be effective it will often need to reflectthe essence of the program's sponsor, rather than just the sponsor'ssuperficial support. In adopting a program it is important to start off byarticulating the sponsor's culture.Pentru ca un program de conformitate sa fie eficient va trebui de multe ori să reflecteesența sponsorului programului, mai degrabă decât sprijinul superficial al sponsorului.În adoptarea unui program, este important să începem prin aarticularea culturii sponsorului.Example f: In one complex organization that decided to develop acompliance program, senior management, after developing a sense ofhow important identification of its culture was to the organization'slong-term success, sequestered itself for the sole purpose of creatinga core value statement. After considerable debate and numerousrevisions a statement was created that satisfied nearly everyone. Allcorporate activity -- including the company's compliance program -- isnow evaluated for consistency with the statement.Exemplu f : Într-o organizație complexă, care a decis să dezvolte unprogram de conformitate, conducerea , după dezvoltarea unui sentiment decat de importantă a culturii sale a fost de a lui organizațieisucces pe termen lung, se sechestrat pentru unicul scop de a creaun miez de valoare declarație. După dezbateri considerabile și numeroaserevizuirile o declarație a fost creat ca îndeplinită aproape toată lumea. toateActivitatea corporativă - inclusiv programul companiei de conformitate - esteacum evaluat pentru coerența cu declarația.
8. Creating an effective compliance program often requires input frommembers of the organization. For large organizations, the Board of Directorsor senior management may authorize a committee of members of theorganization to canvass representative individuals from various units anddivisions to describe the organization's culture, character and value system inorder to incorporate those basic features into the compliance program.Crearea unui program efectient de conformitate necesită adesea implicare de lamembrii organizației. Pentru organizațiile mari, consiliul de administrațiesau de conducere poate autoriza un comitet de membri ai organizației pentru a dezbate persoanele reprezentative din diferite unități și divizii pentru a descrie cultura organizației, caracterul și sistemul de valori asa incat sa încorporeze aceste caracteristici de bază în programul de conformitate.9. Many small companies have no obvious, formalized culture orvalue systems. Beginning a corporate compliance program is an excellenttime for the owners or managers to take time to articulate what the company'sculture and value system is or should be. They can then develop acompliance system that compliments and supports the company's culture andvalues.
Multe companii mici nu au nici o cultură evidenta sau un sistem de valori. De a începe un program de conformitate corporativă este un excelent timp pentru proprietarii sau administratorii să ia timp pentru a articula ceea ce companiei sistem de cultură și valoare este sau ar trebui să fie. Ei pot dezvolta apoi un Sistemul de conformitate care complimente și sprijină cultura companiei și valori.
(b) Designing a program that is tailored and fine-tuned with specific regardto the size, form, complexity and history of the organization.Proiectarea unui program care este adaptat și perfecționat, cu referire specifică la dimensiunea, forma, complexitatea si istoria organizatiei.
Comments:Comentarii:
1. It is often useful for a company to design a compliance programwith the history of the adopting organization in mind. In this regard, anorganization should be particularly sensitive to its compliance experience.Este adesea util pentru o companie sa proiecteze un program de conformitate luand in calcul istoria organizatiei.În acest sens, o organizație ar trebui să fie deosebit de sensibila la experienta sa in conformitate.
Examplul a: One company that had several past compliance failuresadopted a program which made clear that future compliance failureswould be met with severe sanctions including dismissal.Exemplu a: O companie care a avut cateva experiente ratate de conformitate adopta un program care face clar faptul ca viitoarele rateuri de conformitate vor atrage dupa sine sanctiuni severe inclusiv concedieri.
2. To be successful, compliance programs will often need to bematched to the size of an organization. As businesses get larger, decisionmaking is typically more diffused throughout company organizations.Pentru a avea succes, programele de conformitate vor trebui sa fie potrivite marimii organizatiei.Pe masura ce afacerile se maresc, luarea deciziilor este de obicei mai difuza de-a lungul organizatiilor companiei.Example b: To deal with widely distributed decision making thataffected compliance, one large organization determined that it wasnecessary to adopt a highly formalized compliance program.Exemplu b: Pentru a face fata cu luarea deciziilor la scara larga care afecteaza conformitatea, o organizație mare a stabilit că a fost necesar să se adopte un program de conformitate foarte formalizat.3. A successful compliance program should be tailored to the needsof the business. Compliance programs that are out of proportion to acompany's risks of noncompliance will waste company resources.Un program de conformitate de succes ar trebui să fie adaptat la nevoilede afaceri. Programele de conformitate care nu sunt ajustate lariscurile companiei de neconformitate vor risipi resursele companiei.Example c: In the worker safety area, a risk assessment of operatingactivities might be completed to identify high risk operations. Theseoperations would then be addressed with the greatest attention anddetail in a compliance program. Lower risk operations could beaddressed with less comprehensive direction and monitoring.Exemplul c: În domeniul siguranței lucrătorului, o evaluare a riscului de exploatareactivități ar putea fi finalizată pentru a identifica operațiunile cu risc ridicat. acesteaoperațiuni ar fi abordate cu cea mai mare atenție și detaliat într-un program de conformare. Operațiuni mai mici de risc ar putea fi abordate cu direcție mai puțin cuprinzătoare și de monitorizare.
4. Different types of organizations will have different program needs.Compliance programs may be most effective where they are designed basedon detailed knowledge of firm operations.Diferite tipuri de organizati au nevoie de diferite programe.Programele de conformitate pot fi foarte eficiente unde sunt proiectate bazandu-se pe cunoasterea detaliata a operatiunilor firmei. Example d: In one organization, a select group of experiencedemployees was commissioned to draw up a description of theorganization which became the basis of the program developmentdiscussions.Exemplul d: Intr-o organizatie, un grup select de angajați cu experiență a fost insarcinat să elaboreze o descriere a organizației, care a devenit baza pentru discutiile dezvoltării programului..5. A compliance program will often need to be designed with the operating structure of an organization in mind. Within an organization a program can be tailored to each operating level.Un program de conformitate va trebui de multe ori să fie proiectat cu structura de execuție a unei organizații în minte. În cadrul unei organizații un program poate fi adaptat la fiecare nivel de operare.
Example e: In one multi-layered organization, multiple forms of aprogram were developed to serve the needs of the different levels ofemployee sophistication.Exemplu e: Într-o organizatie multi-strat, multiple forme ale unuiprogram au fost dezvoltate pentru a servi nevoilor unor diferite niveluri depervetire a angajatului.6. One aspect of company culture that must often be taken intoaccount to develop an effective compliance program is the extent to which anorganization is managed on a centralized basis.Un aspect al culturii companiei care trebuie să fie luat în considerare de multe ori pentru a dezvolta un program de conformitate eficient este măsura în care o organizație este gestionată în mod centralizat.Example f: One company that determined it preferred to operate in ahighly adaptive manner opted for a decentralized compliance programwhich would likewise be highly adaptive.Exemplu f: O societate care a determinat aceasta a preferat să opereze într-o manieră extrem de adaptabila a optat pentru un program de conformitate descentralizat care ar fi, de asemenea, extrem de adaptabil.(c) Reviewing program needs based upon an organization's history of violations (if any), the risks of future violations inherent in the operations of the organization, industry standards and regulatory regimes, federal sentencing commission standards, management standards regarding essential components of compliance systems, and empirical studies of the effectiveness of compliance practices.Revizuirea necesităților programelor bazate pe istoria de încălcări (dacă este cazul)a unei organizații, riscurile de încălcări viitoare inerente în operațiunile organizatiei, standarde industriei și regimurile de reglementare, standardele Comisiei Federale de condamnare, standardele managementului referitor la componentele esențiale ale sistemelor de conformitate, și studiile empirice de eficacitateaa practicilor de conformitate.
Comments:Comentarii:1. A compliance program can be tailored to address particular areas of the law that are relevant to the organization's operations. The following is a list of the most common areas of law that are typically found in compliance programs:Un program de conformitate poate fi adaptat pentru a aborda anumite zone ale legii, care sunt relevante pentru operațiunile organizației. Următorea este o lista cu zonele cele mai frecvente ale legislației, care sunt de obicei găsite în programe conformitate:Antitrust and Other Fair Trade LawsAntitrust și alte legi de comerț echitabil
Government Procurement and ContractingAchizițiile publice și ContractarePolitical Contributions/LobbyingContribuții politice / lobbyProtection of Company AssetsProtecția bunurilor companieiAccurate Books and RecordsCărți și evidențe corecteSecurities/Insider TradingTitluri de valoare / Comert de interiorMoney Laundering and Other Currency TransactionsSpalarea banilor si alte tranzactii valutareEnvironmental IssuesProbleme de mediuLabor Relations and Employment DiscriminationRelații de muncă și discriminare forței de muncăSexual HarassmentHartuirea sexualaIntellectual PropertyProprietate intelectualaSubstance AbuseAbuzul de substanteProduct LiabilityRaspunderea produsuluiConsumer Protection/Consumer FraudProtectia consumatorului/frauda consumatoruluiWorkplace Safety (including Occupational Health)Siguranța la locul de muncă (inclusiv Sanatate Ocupationala)Conflicts of Interest/GiftsConflicte de interese / CadouriCommercial BriberyMita comerciala Regulatory Issues (FCC, DOD, etc.)Probleme de reglementare (FCC, DOD, etc)International Issues (FCPA)Probleme internaționale (FCPA)Consent Decree ComplianceConsimtamantul decretului de conformitate
2. A compliance program should be focused on areas of legal compliance that an organization most frequently confronts. A listing of recently encountered legal risks and problems will be useful in ensuring that a complete set of corresponding compliance program elements is adopted.
Un program de conformitate ar trebui să se concentreze pe domeniile de conformitate juridică cu care o organizație se confruntă cel mai frecvent. O listă de riscuri juridice și probleme întâlnite recent vor fi utile în asigurarea faptului că un set complet de elemente corespunzătoare programului de conformitate este adoptat.Example a: Companies that operate within a broad regulatory framework -- such as regulations enforced by the Food and Drug Administration -- can begin their risk assessment by examining theirown and other like companies' histories of violations and citations. Many companies also conduct "litigation audits" as a starting point for assessing their legal risks.Exemplul a: Companiile care operează într-un cadru de reglementare larg - cum ar fi regulamentele impuse de protectia Consumatorului - pot începe evaluarea riscului prin examinarea istoriei de incalcari si citatii a
propriei companii și a altor asemenea companii. Many efectua, de asemenea, "audituri litigii", ca un punct de plecare pentru evaluarea riscurilor lor juridice.Example b: One company conducted a thorough self-evaluative audit of the legal risk inherent in its past operations to determine its proper compliance focus. While self-audits are often very useful in targeting future compliance efforts in continuing operations, these audits may not be privileged and can be subject to disclosure in criminal or civil proceedings. See also Consideration 18(k).Exemplul b: O societate a efectuat o minuțioasă de auto-evaluare a riscurilor de audit juridic inerent în operațiunile sale din trecut pentru a determina focalizarea acestuia respectarea corespunzătoare. În timp ce auto-audituri sunt adesea foarte utile în orientarea eforturilor viitoare de conformare în operațiuni continue, aceste audituri nu pot fi privilegiat și pot fi supuse divulgării în cadrul procedurilor penale sau civile.3. A compliance program should adapt to an organization's changing needs. The sponsoring organization should have a process in place to continually reassess the program's currency and relevance.Example c: One company linked its compliance professionals to its government affairs office so that persons responsible for compliance were kept informed of pending statutory and regulatory changes.Un program de conformitate trebuie să se adapteze la nevoile unei organizații schimbare.Organizarea sponsorizarea trebuie să aibă un proces care să reevalueze în mod continuu moneda programului și relevanța.Exemplu C: O societate legată de profesioniști sale de conformare la sediul guvernului afacerile atât de persoanele responsabile de respectarea care au fost păstrate cu privire la modificările în așteptare statutare și de reglementare.4. While relying on the internal personnel of an organization for the design of a compliance program may be the best way to ensure that compliance program elements are compatible with corporate operations, an organization should consider the use of outside experts in specific subject areas for assessments of the sufficiency of the program specifics tentatively selected by the organization. The use of outside experts in compliance systems can also help assure that all of the essential components of compliance systems are included.Example d: In order to identify the relevant laws that should be the focus of its program, one company surveyed knowledgeable individuals across the organization and supplemented the results with lists obtained from other industry sources.Example e: One organization asked its principal outside attorney to review its listing of anticipated compliance problems and then benchmarked its program with a peer group.În timp ce bazându-se pe personalul intern al unei organizații pentru elaborarea unui program de conformitate ar putea fi cel mai bun mod de a se asigura că elementele programului de conformitate sunt compatibile cu operațiunile corporatiei, o organizație ar trebui sa ia in considerare utilizarea experților externi în unele domenii specifice pentru evaluări ale suficienței specificului programului provizoriu selectat de către organizație.Utilizarea de experți externi în sistemele de conformitate poate ajuta de asemenea a asigura ca toate componentele esențiale ale sistemelor de conformitate sunt incluse.Exemplul d: În scopul de a identifica legile relevante care ar trebui sa fie centrul programului său, o companie a interviat persoane cunoscatoare din organizatie și a suplimentat rezultatele cu liste obținute din alte surse ale industriei.Exemplu e: O organizație a intrebat pe avocatul său colaborator de a revizui lista primară a problemelor sale de conformitate anticipate și apoi a evaluat programul său cu un grup de colegi.5. Other businesses with similar compliance problems can be anotheruseful outside resource. An organization can benchmark its program withthose of its peer group. Peer group comparisons can help assure that theorganization’s compliance program adequately addresses industry standards.Alte afaceri cu probleme de conformitate similare poate fi o alta resursa externa utila. O organizatie isi poate măsura programul său cu cele ale celor din grupul asemanator. Comparatiile din grupul asemanator poate ajuta la confirmarea că programul de conformitate al organizației abordează în mod adecvat standardele din industrie.6. Compliance programs can define how corporate resources will beused to meet existing regulatory requirements.
Example f: One company completed a thorough survey of regulatory requirements before designing its program in order to have in mind the special regulatory demands that had to be designed into the program.Programele de conformitate pot defini modul în care resursele corporative vor fiutilizate pentru a satisface cerințele de reglementare existente.Exemplu f: O societate a finalizat un studiu aprofundat a cerintelor de reglementare înainte sa-si definitiveze programul său, în scopul de a avea în minte cererile speciale de reglementare care au trebuit să fie proiectate în program.7. Small companies may need to employ an attorney with experience in business compliance with regulatory laws to determine potential legal issues and problems relevant to the company. Another source of information as to areas which create legal danger may be trade associations.Example g: One trade association assisted its members in identifying likely compliance issues by compiling a composite listing of compliance problems from all its members.Companiile mici ar putea avea nevoie sa angajeze un avocat cu experiență în conformitate afacerii cu legile pentru a determina potențialele probleme juridice și problemele relevante pentru companie. O altă sursă de informații cu privire la zonele care creează pericol juridic pot fi asociațiile profesionale.Exemplu g: O asociație comercială si-a ajutat membrii în identificarea problemelor de conformitate probabile prin compilarea unei liste compozite de probleme de conformitate de la toți membrii săi.
(d) Directing organization members toward compliance throughcompliance codes, operating standards, codes of ethics, and othercorporate policy and philosophy statements.Direcționarea membriilor organizației catre conformitate prinCodurile de conformitate, standardele de funcționare, coduri de etică, și altepolitici corporative și declarațiile filozofie.Comments:Comentarii:
1. There are three general approaches to compliance code formats:(1) compliance codes that provide specific statements giving guidance andprohibiting certain kinds of conduct; (2) corporate commitments toconstituencies, values and objectives; and (3) enunciations of the company orCEO's ways of doing business. These codes and philosophy statementsidentify important objectives and goals that every member of the organizationshould strive to achieve in the day-to-day operations and management of thecompany. A sample code of conduct for a small company is included inAppendix A of this text.Există trei abordări generale legate de formatele codului de conformitate:(1) Codurile de conformitate care pun la dispozitie declarații specifice care oferă orientare și interzic anumite tipuri de conduită; (2) angajamentele corporative catre circumscripții, valori și obiective; precum și (3) enunțuri ale companiei sau moduri ale CEO-lui de a face afaceri. Aceste coduri și declarații ale filozofiei identifica obiective importante și scopuri pe care fiecare membru al companiei ar trebui să depună eforturi pentru a le realiza în operațiunile de zi cu zi și cele de gestionare a societății. Un exemplu de cod de conduită pentru o companie mica este inclusă în Anexa A a acestui text.2. The scope of compliance policy materials delivered to particularoperating personnel (as well as the means for their delivery) should betailored to ensure that necessary policy information is transmitted withoutoverloading employees or diluting key policy messages.Example a: One company developed a compliance program withmultiple communications channels which were designed to providedifferent levels of program detail according to the operational needs ofeach particular audience.Domeniul de aplicare al materialelor politicii de conformitate date personalului specific din operational (precum și mijloacele de livrare a acestora) ar trebui să fie adaptate pentru a se asigura că politica de
informare necesara este transmisa fără supraîncărcarea salariaților sau diluarea mesajele-cheie de politică.Exemplu a: O societate a dezvoltat un program de conformitate cu canale multiple de comunicare, care au fost concepute pentru a oferi diferite niveluri de detaliere program, în conformitate cu necesitățile operaționale ale unui anumit public.3. It is usually desirable for requirements of a compliance program tobe consistent with existing company policies. Such policies typically identifyimportant organizational objectives and goals. To ensure consistency, acompliance program can specifically incorporate portions of existing policies.Example b: One company incorporated its existing code of ethics,vision statement and corporate guidelines as well as existingcompliance activities as part of its overall compliance program.Este de obicei de dorit pentru cerințele unui program de conformitate să fie în concordanță cu politicile existente ale companiei. Astfel de politici identifică de obicei, obiective si perspective importante de organizare.Pentru a asigura coerența, un program de conformitate poate în mod specific încorpora porțiuni ale politicilor existente de conformitate.Exemplu b: O societate încorporeaza codul existent de etică, declarația privind viziunea și orientările corporatiste, precum și activitățile de conformitate existente, ca parte a programului său de conformitate globală.4. A compliance program should normally be consistent with corporate policies at all levels of an organization. Each level of an organization can be surveyed to determine what its practice and policies are and whether those policies need to be modified so that they are consistentwith the compliance program.Un program de conformitate ar trebui să fie în mod normal, în concordanță cu politicile corporative la toate nivelurile unei organizații. Fiecare nivel al unei organizații poate fi supravegheat pentru a determina care sunt practica și politicile și dacă aceste politici trebuie să fie modificate astfel încât să fie în concordanță cu programul de conformitate.5. Compliance programs should also be consistent with existing organizational practices. To be effective, a program must be accepted by all employees as a source of direction in completingexisting activities. Many organizations require their employees to participate in the development of programs and, once adopted, certify in writing annually that they have read, understood and will comply with the programs.Programelor de conformitate ar trebui să fie, de asemenea, în concordanță cu practicile organizaționale existente. Pentru a fi eficient, un program trebuie să fie acceptat de către toți angajații ca o sursă de direcție în completarea activităților existente. Multe organizații cer angajaților să participe la dezvoltarea de programe și, odată adoptat,sa certifice în scris, anual,ca le-au citit, inteles si se vor conforma cu programele.6. Small companies with little or no written policies, company codes of ethics, compliance codes or other statements may direct compliance by means of a letter to employees from the CEO stating the CEO's requirements that employees comply with the laws and any future memorandums concerning company compliance.
Companii mici cu politicile mici sau nescrise, codurile de etică ale companiei, coduri de conformitate sau alte declaratii pot direcționa conformitatea printr-o scrisoare catre angajați de la CEO-ul care să ateste cerințele CEO ca angajații sa respecte legile și orice memorandumuri viitoare privind conformitatea companiei.
(e) Setting forth program definitions and operating practices in writing anddisseminating program descriptions through manuals and otherappropriate media.Stabilind definiții de programe și practici de operare în scris și diseminarea descrierilor de program prin manuale si alte mijloace mass-media adecvate.
Comments:
Comentarii:1. Companies that create compliance programs generally do so in writing. A written compliance policy is an important step in establishing that a company is serious about its compliance efforts. Compliance program materials disseminated to a workforce will typically outline the acceptablebehavior of employees and state the company's expectation that every employee will follow the guidelines established therein.Companiile care creează programe de conformitate, în general fac acest lucru în scris. O politică de conformitate scrisă este un pas important în stabilirea faptului ca o compania este serioasa in eforturile sale de conformitate. Materialele programului de Conformitate diseminate unei forte de muncă va prezenta de obicei comportamentul acceptat al angajaților și declara asteptarile companiei ca fiecare angajat va urma liniile directoare stabilite de aceasta.2. Compliance programs are made available to some or all employees, depending on the compliance needs of the organization. Example a: Some companies set "triggers" for distribution of program materials to individuals, e.g., upon becoming an employee, upon attaining a specified level within a company, or upon transfer to aspecified function.Example b: Certain companies consider their compliance manuals to be public documents and accordingly publish portions of their program manuals upon request.Programele de conformitate sunt puse la disponibilitatea unor sau tuturor angajaților, în funcție de nevoile de conformitate ale organizației.Exemplul a: Unele companii seteaza "capcane" prin distribuirea de materiale cu programul de conformitate de către persoane fizice, de exemplu,inainte de a devenii angajat, inainte de atingerea unui nivel anume în cadrul unei companii, sau la transferul pe o funcție specifica.Exemplul b: Anumite companii consideră manualele lor de conformitate a fi documente publice și în consecință publica porțiuni ale manualului cu programul lor la cerere.3. Compliance program descriptions should be made available in an effective manner. Program descriptions should be clear and concise, with contents and terms that are understandable to the various users of the program documents.Example c: One organization had its program documents reviewed by its communications department and an external communications expert to determine that its multi-level program description wasexpressed in language that was understandable by the target audience for each level of the program.Descrieri ale programului de conformitate ar trebui să fie puse la dispoziție într-un mod eficient. Descrieri ale programului ar trebuie să fie clare și concise, cu conținut și termenii care sa fie ușor de înțeles pentru diversi utilizatori ai documentelor programului.Exemplu C: Unei organizații i se revizuieste documentele programului de către departamentul de comunicare și de catre un expert în domeniul comunicării externe pentru a determina daca descrierea multi-nivel a proiectului a fost exprimată într-un limbaj ușor de înțeles de catre publicul-țintă pentru fiecare nivel al programului.4. Information about a compliance program should be disseminated in such a manner as to enhance the program's likelihood of success.Employees can only be expected to comply with a program if they are aware of it and understand the program's contents and how it applies to the organization.Example d: One company provided copies of its entire program description to all managers, summaries of the program description to all employees and portions of the program manual to the public uponrequest. All employees were tested on the basic content of the program.Informații despre un program de conformitate ar trebui să fie difuzate într-o astfel de manieră încât să consolideze probabilitatea succesului programului.Se așteapta ca angajatii sa se conformeze cu un program în cazul în care sunt conștienți de el și să înțeleagă conținutul programului și modul în care acesta se aplică organizației.Exemplul d: O societate a furnizat copii ale descrierii întregului sau program tuturor managerilor, rezumate ale descrierii programului tuturor angajaților și porțiuni ale manualului programului pentru public, la cerere. Toți angajații au fost testati cu privire la conținutul de bază al programului.5. Compliance programs can be presented to employees through many media other than written documentation.
Example e: One company provided live presentations on particularly important aspects of its program and made video tape copies of the presentations available for persons in remote locations.Programele de conformitate pot fi prezentate angajatiilor prin intermediul mult mai multor documente scrise.Exemplu e: O societate a furnizat prezentări live pe aspecte deosebit de importante ale programului său și a făcut copii ale casetelor video ale prezentărilor disponibile pentru persoanele aflate în locații îndepărtate.6. The form of presentation of a compliance program can help indicate that the compliance program is to be taken seriously. To encourage this, compliance program descriptions can be combined and disseminated with other important corporate policies.Example f: One organization included its compliance program description in its personnel manual. The manual contained cross references and featured material that ensured the program was givenprominence.Forma de prezentare a unui program de conformitate indică faptul că programul de conformitate trebuie să fie luată în serios. Pentru a încuraja acest lucru, descrieri program de conformare pot fi combinate și diseminate cu alte politici importante corporative.Exemplu f: O organizație a inclus descrierea programului său de conformitate, în manualul său personal. Referințele încrucișate și manuale prezentate Contained care a asigurat materialele programului a fost datproeminență.7. Small companies that do not use employee manuals or other formal writings to employees may communicate the operating practices and program description by use of more informal letters and memorandums from the CEO or an outside lawyer employed to audit and develop guidelines, ordisseminate the information in a series of group meetings conducted by a manager or attorney.(f) Documenting specific steps taken in the implementation and operationof a compliance program.Comments:1. A written report of how a compliance program was implementedcan be very useful. Such a record can help an organization defend theprogram's effectiveness and tailor it in the future.Example a: One company created a written record of the rationale foreach important design aspect of the firm's program.542. A written record of how a program has been operated candemonstrate that the program's effectiveness was being monitored. A writtenrecord of monitoring can be convincing evidence of a program'simplementation.Example b: One company had employees confirm in writing that theyhad received a copy of the company's program description. Theemployees were also required to pass a test on the program'scontents as a condition of continuing employment.3. The owner or manager of a small business that does not have awritten, formalized compliance program can write and retain a memorandumonce each quarter (or other administratively convenient time period) statingthe actions taken to achieve compliance with the law, such as meetings withattorneys, discussions with employees concerning legal compliance, changesin firm policies and practices, and seminars and training attended byemployees concerning issues such as OSHA, ERISA or environmental rules.(g) Including systematic record making and document retention practicesin organizational operations that will aid in monitoring organizationalcompliance and in demonstrating the completion of complianceprocedures.Comments:1. Over-retention of documents may add to storage and litigation
costs without aiding compliance efforts. An effective compliance program willtypically include document retention policies and related procedures that spellout how the company involved will retain what is required by law in each of itsoperations areas. A document retention system can begin with a statementof the company's policy regarding records retention and the steps that shouldbe followed by employees and management to assure compliance. Trainingemployees how to create documents in the first instance and how to retaindocuments are two essential components of a compliance program.2. It is also important to memorialize a company's records retentionpractices regarding compliance documents.Example a: One company created a detailed report of all the recordsretention obligations employees needed to address and requiredyearly certification from all operational units that these obligations werebeing met.55
PRINCIPLE 2: CONTAIN RISKS
An effective compliance program is designed to prevent, detect and respond to legalrisks and to promote compliance with the law.
Factors to Consider:(a) Identifying liability-causing conduct based on industry or organizationalexperience, as well as the occasions for such conduct.Comments:1. In creating a compliance program, an organization will often wish tothoroughly examine its liability risk profile. To accomplish this profiling, it maybe useful to examine the risk experience of the organization's industry.Example a: One company had its attorney use all available sources toprepare a thorough report on compliance problems that the company'sindustry had experienced.2. To complete its liability risk profile, a company may also wish toassess its own past compliance history.Example b: One company assigned an in-house attorney to conductboth a search of the company's files and a compliance audit todetermine compliance risks that the company had faced. While theinvolvement of an attorney may help preserve the attorney-clientprivilege, to the extent that such studies are viewed as managementtools or are disclosed to public agencies to demonstrate compliancediligence, these audits can be subject to disclosure in civil and criminalcases. See also Consideration 18(k).3. To conduct a comprehensive review of existing files for documentsthat demonstrate the risk of violations, companies can review litigationrecords, civil complaints, SEC disclosure documents, board of directors'minutes, prior investigative records, insurance policies, risk managementdocuments, accountant's or internal auditor's work papers, interviews of keypersonnel, employee questionnaires, etc. The inventory should bedocumented so that a company can establish how it achieved complianceand should never be considered as fully completed because compliance isdynamic.4. A compliance program can include a plan to inventory company
records in reverse chronological order to a specified cut-off date in order todetermine areas of foreseeable risk and to otherwise plan compliance efforts56that address the needs of the organization.5. Any survey of liability-causing conduct should take intoconsideration predicted future events. For such a survey to be useful it musttake into account changes occurring in the company and the industry in whichthe company operates.Example c: One company established a practice of having an inhouseattorney conduct annual interviews with senior management toidentify new compliance risks to the organization arising from suchchanges.6. Each organization employs its own particular techniques forconducting its operations. A compliance program can attempt to identify theoccasions for liability-causing conduct that are likely to arise given anorganization's operating practices.Example d: One company identified generic liability-causing conductand then identified specific examples drawn from its own businesspractices as to how such conduct could turn into a complianceproblem. Both the generic risks and the company's specificcompliance issues were emphasized in compliance programpresentations to employees.7. For larger corporations, in-house or outside attorneys can create afile of examples of potential liability-causing conduct as illustrations of specificactivity or behavior that the organization's employees must avoid. Forinstance, particular reported cases can be collected and summarized.Whenever practical, these examples should be distributed to employees withhelpful instructions written in a clear and concise manner describing how toavoid liability-causing conduct.8. For smaller companies (i.e., less than 100 employees) discussionsat staff meetings (based on written presentation materials reviewed by acompany attorney) can identify liability-causing conduct and how to avoidsituations in which the companies will be held accountable for the misconductof employees.579. After litigation concludes, many companies conduct "postmortems"to evaluate the circumstances leading to the litigation and possibleimprovements in operations and procedures to avoid recurrence of similarproblems.(b) Identifying non-obvious and incipient misconduct that tends to promoteillegal actions.Comments:1. Non-obvious and incipient misconduct generally is difficult toprevent and detect given its nature. Steps that may be taken to preventoccurrence can include employee training that will identify the potential sourceof problems before noncompliance is allowed to occur. Employees need to beeducated regarding misconduct-prone circumstances that may arise.2. To be effective, a compliance program should identify businessconduct that is likely to result in a compliance problem. Certain non-obvioussituations may present particular difficulties.Example a: One company commissioned one of its attorneys toidentify all reporting and disclosure obligations that the company wasrequired to comply with and then present a training program to
employees explaining these rules.3. Incipient misconduct should ideally be identified before it developsinto a violation of compliance standards.Example b: One company commissioned an in-house attorney tointerview all employees periodically to determine whether they wereengaging in conduct that was likely to lead to serious complianceprogram violations. The practicality of conducting personal interviewsof all employees is limited by the need for direct contact between alawyer and individual employees, suggesting that this approach will bemost suitable for small businesses or departments.4. Small companies may discover non-obvious and incipientmisconduct by obtaining information from other companies in the same fieldof business, contacting trade associations, or using the services of anattorney who specializes in corporate compliance activities.58(c) Structuring compliance practices to be effective, while still enhancingan organization's business, assets and goodwill and preserving its legalprivileges and rights.Comments:1. Compliance activities can protect an organization's assets andgoodwill. Such assets and goodwill may have been developed over the yearsthrough the hard work of the organization's employees and be difficult orimpossible to replace.Example a: One company's compliance program explained explicitlyhow compliance efforts were designed to protect and preserve theorganization's hard-won goodwill. This explanation was used toconvince employees to accept the program.2. Compliance programs must be effective, yet not have anyunnecessary adverse impact on the companies operating the programs.Compliance activities should be conducted with an eye to preserving acompany's legal privileges. See also Consideration 18(k).Example b: To promote this end, one company required that itsattorneys conduct all compliance investigations and maintain allresulting findings in strict confidence.3. In order to ensure preservation of appropriate legal privileges, keyemployees of an organization often need to be trained regarding the basiclegal privileges that can apply and how to preserve them. Records ofincidents need to be created and handled in such a manner that does notwaive the privilege. Employees typically need training on how toappropriately label confidential and privileged documents. See alsoConsideration 18(k).59
copilulPRINCIPLE 3: RESPOND TO CHANGE
An effective compliance program is a dynamic process that is designed to be flexibleand modified, when appropriate, to reflect changing conditions.Factors to Consider:(a) Addressing the differing compliance problems and needs of dissimilaroperating units.
Comments:1. Compliance programs will often be most useful if they are tailoredto fit each organization's unique compliance situation. The same is trueregarding operating units within an organization. Each different operating unitof an organization may need its own program.Example a: One conglomerate required each of its operating units todesign its own program beginning with only a central set of principles.2. Compliance programs may also be tailored to fit an organization'slegal environment. An organization with global operations must confront ahost of different and potentially conflicting compliance requirements.Example b: One international organization adopted a core of globalstandards, but permitted local management to modify portions of theirprogram to take into account local needs. Such modifications requiredthe approval of the company's General Counsel.3. It will often be desirable for a compliance program to be sufficientlyflexible to adapt to change. An organization adopting a compliance programcan adopt systematic practices that help it remain conscious of internal andexternal changes that impact its program.Example c: One organization required that its compliance programmanager be notified of all significant developments in companyoperations and gave him unlimited access to company attorneys andsenior management in order to detect and respond to new legalissues.60(b) Providing for continuous operation of a compliance program andincorporating it into the daily activities of the organization.Comments:1. It will often be beneficial for a compliance program to be tied intothe day to day work of an organization. To be effective, it is useful for thecompliance program to be appreciated by those who are faced withcompliance issues.Example a: One company explained its program by illustrating itsintended implementation with concrete examples drawn from theorganization's specific work-related activities.(c) Including mechanisms within a compliance program that promoteprogram changes in response to new business activities or otherorganizational changes.Comments:1. A successful compliance program will usually be adaptive tochanges in a company's environment. In particular, a program will often needto change to meet evolving legal requirements and standards.Example a: One organization required its attorneys to maintain acontinuing survey of developments in the law of self-evaluativeprivilege to ensure that program procedure met changing standardsfor privilege protections.2. A compliance program can include components that respond to thechanging plans of an organization. This can be accomplished bycontinuously updating a compliance program to reflect the projected futurebusiness activities of a concern.Example b: To ensure that compliance issues raise by new businessoperations were addressed, one company required business plannersto include compliance program considerations in every business plan.
Example c: In order to identify potential compliance risks raised bynew business activities, one firm incorporated a specific compliancerisk and vulnerability question in its business development reviewprocess.3. Unplanned changes in company activities can also produce newcompliance risks. A compliance program can include procedures to address61the changing compliance needs of an organization, whether those needsresult from planned or unplanned changes in company activities.Example d: One company developed a self-assessment tool toenable each of the organization's business units to continuallyevaluate and assess their compliance risks.4. Regular reevaluations of the results being achieved by acompliance program will often provide valuable information. The objective ofthese reevaluations is to confirm that a compliance program is still adequateto ensure on-going compliance.Example e: One company instituted a compliance program audit cyclewith a report of all findings to the audit committee of the company'sboard of directors.5. Small companies with only one or a very few managers shouldschedule periodic times (such as once each six months) to reevaluate theircompliance programs to determine if any changes or additions areappropriate.(d) Recognizing that organization members or other firms may develop newmethods to achieve compliance and providing mechanisms foridentifying and evaluating those new methods.Comments:1. Organizations will wish to structure and operate their complianceprograms to emphasize continuous improvement. Often, systematic reviewsof present practices and available alternatives will be desirable to focusmanagement attention on opportunities for improvement. Complianceprogram descriptions should be viewed as "living documents" subject toongoing reassessment and improvement.2. Organizations with a quality program, such as Total QualityManagement, may wish to consider integrating their compliance program withthe quality program, as both deal with reducing and eliminating defects inrelationships with stakeholders such as customers, vendors and regulators.Before doing so, however, an organization may want to first assure itself ofthe effectiveness of its quality program.PRINCIPLE 4: STATE COMPLIANCE POLICYAn effective compliance program states that it is the organization's policy to complywith all applicable laws.62Factors to Consider:(a) Evaluating alternative methods that the organization can use toeffectively state its policies regarding compliance.Comments:1. An effective compliance program is typically backed by companypolicy. The message that it is the organization's policy to comply with allapplicable laws can be communicated in the same way as all other importantcompany policies. One effective method is to have all policy statementswritten and fully available to all employees. Company policies can also beavailable for external review when necessary. The policy should clearly state
the company's compliance beliefs and how compliance will be maintained.Goals and objectives can be developed for the compliance program and canbe communicated in ways other than by company policy. Program goals andobjectives can be identified as initiatives and performance communicated atthe end of an identified period.2. Since it is a key guiding principle, a statement that employees mustcomply with applicable laws is often a useful starting point for employeeguidance on compliance and ethics matters. It may be wise to repeat thispolicy statement in a number of contexts, such as mission statements,corporate credos, statements of objectives, directives and resolutions of theboard of directors, compliance policy directives, codes of ethics, andcorporate conduct guidelines.3. Another compliance policy distribution method is to include policystatements as part of broader disclosures to employees of key information.Example a: A number of companies have included compliancepolicies and standards in new hire employee packets.4. Where companies instruct employees to seek out importantinformation from a particular source or archive, compliance policy informationcan be supplied as part of the information distributed.Example b: One company posted compliance policies, standards andprocedures on an internal network information library readilyaccessible to all employees.5. Aside from including compliance policies prominently inmanagement communications, a company may wish to restate those policiesin employee manuals, handbooks or contracts in order to establishcompliance with the policies as a term of employment. The advantage of this63further use of compliance policies and standards is that it clarifies that failureto comply with the company's compliance standards will be grounds fordiscipline.6. Periodic reminders about the importance of compliance and ofmanagement's strong interest in this aspect of employee performance canalso be valuable.Example c: One company sought to promote employee commitmentto compliance by incorporating a corporate compliance section into itsperiodic "how goes it" messages directed to all employees.Example d: Another company used its internal electronic "EmployeeNews" Bulletin Board to post periodic "Did You Know?" noticespertaining to specific corporate compliance goals, policies andstandards.Example e: A third firm included short compliance policy awarenessnotices in employees' paycheck envelopes.7. Compliance policies and updates may also be distributed incontexts where other activities draw particular attention to compliancematters.Example f: One organization relied on its internal audit staff todistribute copies of compliance policies and standards as routineinformation items provided in the normal course of their audit dutiesand exit interviews.8. Policy statements requiring compliance in general can usefully beaccompanied by more specific conduct-oriented policies aimed at particularemployee tasks. The objective of these more specific policy statements willbe to describe legal requirements and related company
64policies to convey useful information that will directly affect conduct. This typeof guidance is best provided in materials that avoid legal jargon and terms ofart and are instead phrased in operational terms familiar to employees.Example g: As an illustration of such an approach, an employee in thecredit or financial function of an exporter could be helped tounderstand the general policy of the organization toward complyingwith federal antiboycott laws by being given samples of statementsthat the organization can accept in letters of credit.9. The proper scope of compliance directives may depend on the sizeof an organization and the range of activities it undertakes. In a small firm,compliance policies need only address the range of activities undertaken bythe firm. In addition, if the scope of activities being undertaken in a small firmimplies that a given type of legal problem will be encountered onlyinfrequently then corresponding policy statements may be more abbreviatedthan in large concerns where the same problem may be present morefrequently.10. Illustrations of the implications of noncompliance for theorganization and the individual can often bring home the importance ofcompliance. Corporate policy statements on compliance can usefully statepenalties and consequences, especially those which involve personal liability.These should be clearly stated in order to have the full impact ofnoncompliance with law and the compliance program. Some laws forbidorganizations from indemnifying individuals for their personal liabilities, and astatement to this effect can be a meaningful contributor to deterrence.11. Policy statements in compliance programs can becounterproductive if they contain provisions or other commentary that may bemisconstrued. One way that policy statements may be harmful in this respectis by oversimplifying legal requirements so as to assert that particular conductis always legal or illegal when that is not the case. Such policy statementsmay later be deemed admissions that the specified conduct is illegal. Toavoid this impact, policy statements should avoid broad statements thatcertain actions always constitute violations or suspected violations of law orcompany policy. Instead, a compliance program can state that not allpossible instances of violative conduct are identified in the materials orrequire that certain activities require legal department approval beforeproceeding.6512. No policy statement about compliance will provide clear guidanceto employees in all situations. One useful solution to possible ambiguity ofcompliance policy statements is to clearly identify who an employee shouldcontact for further information. A compliance program can identify either anin-house attorney, a compliance officer, or another designated individualwhom an employee can contact whenever there is any doubt concerning theterms and provisions of the compliance program.13. Small businesses with few owners or managers and no insideattorneys may direct employees to speak with a specific manager or owner, oran attorney hired on a retainer if the employee desires further information.(b) Stating the organization's compliance goals and methods for achievingthose goals in a clear and straightforward manner.Comments:1. As with other policy directives, compliance policies will be mosteffective when stated in terms that are both understood by employees and
taken as indications of serious concern by top managers. If senior executivesmerely adopt compliance policy language suggested by an attorney or mimicthe language of governing laws, the differences between these policystatements and true expressions of top management concern will beapparent to employees. The result will be that compliance policy statementsare not taken seriously.2. In many areas of compliance, the means to achieve compliance willnot be fully known in advance of related corporate operations. The most thatwill be able to be specified in related compliance program elements is theprocedure by which compliance issues will be raised and resolved. Theseprocedures can have two types of objectives: first, to provide employees withall the information necessary to make decisions in the workplace that willresult in compliance with all applicable laws and company values and,second, to monitor compliance by employees in making decisions and takingactions.3. One way to transform a company's general compliance goals intospecific actions is to include compliance topics in regular planningdiscussions.66Example a: One company required senior business managers withindiscrete corporate business units or divisions to initiate periodicinternal messages to their subordinates. The messages describedhypothetical or plausible compliance risk scenarios that are germaneto their business operations. In addition to providing a regular forumfor addressing new or changing compliance problems, this methoddemonstrated the involvement and commitment of seniormanagement to compliance in business practices.4. Overlapping legal requirements or the distribution among severalemployees of operational responsibilities for particular aspects of compliancemay make the articulation of compliance policies particularly difficult. In thesecircumstances, it may be desirable for a firm to have a special managementbody to resolve apparent conflicts in compliance standards and to ensure thatall members of a group pursue compliance.Example b: A compliance committee or group of compliance programadministrators might be held responsible for identifying these types ofcompliance problems and for overseeing related processes forclarifying compliance duties and for achieving compliance.5. Managers of a small business may state the firm's compliancegoals and methods by periodically mentioning them in meetings withemployees and by sending or posting occasional memos to employees.(c) Making descriptions of compliance policies and practices readilyavailable to all personnel who are subject to them.Comments:1. It will sometimes be desirable to tailor the distribution of compliancepolicy statements to the needs of individual employees. Some policydirectives -- such as discussion of the general compliance goals of acorporate employer -- will be useful for all employees. These statements canremind individual employees of their general compliance responsibilities evenin the absence of more specific policies on particular areas of compliance.672. Compliance policies in specific legal areas or addressing particularbusiness practices can be directed to only those employees who are to begoverned by the specialized policies. This ensures both that employees are
not overwhelmed by meaningless directives and that wasteful distributions donot consume compliance resources.Example a: Corporate policy statements about price fixing offensesmight be sent to all sales employees, but withheld from non-salesclerical staffs. Similarly, environmental compliance policies might bedistributed to employees handling chemical materials, but not to salesemployees. However, even if they are not needed to guide the salesemployees' own actions, company environmental policies might still beneeded by sales employees to inform concerned customers aboutcompany environmental practices.3. Compliance policies may sometimes be extended outside acompany. Particularly where a company will be held legally responsible forthe actions or products of contractors, the firm will wish to exert some controland monitoring concerning the compliance practices of contractors.Example b: One firm's consulting contracts required that consultantscomply with company compliance standards in all regards.(d) Stating, wherever appropriate, that certain areas of law are interrelatedsuch that violations in one area of law may result in legal obligations ina separate area.Comments:1. Compliance programs can convince employees of the importanceof compliance by identifying the full range of business risks associated withcompliance failures. Often, an organization's civil liability to private claimantsis directly related to the organization's compliance with criminal or regulatorystandards. For instance, noncompliance with Food and Drug Administration(FDA) regulations could lead to product liability suits. Policy statements oncompliance can identify these linkages as a further means to clarify theimportance of compliance.682. Employees will sometimes need to be made aware of therelationships between compliance risks if they are to respond fully to thoserisks. In order to inform employees about how compliance with particularlegal standards can have broader legal implications, one company routinelyincludes illustrations of potential overlapping or collateral regulatorycompliance issues and concerns in its compliance training program.3. In order to properly inform employees about compliance risks,corporate managers must be aware of these risks themselves. A firm maywish to gather information about related categories of legal risks at everyopportunity.Example a: As part of the services received from outside attorneysemployed to assist with the management of a regulatory violation selfdisclosure,one company obtained a compliance awareness tool thatconsisted of a matrix of common regulatory violation risks correlatedwith potential related violations in other regulatory areas.4. A firm confronted with a particular compliance problem will typicallywant to make sure that the full range of other, related compliance issues isaddressed. This will often require company personnel to identify the sourceof the detected misconduct and to consider what other corporate activitiesmight be susceptible to the same type of misconduct.Example b: To ensure complete attention to related compliance risks,one company inserted identical provisions in both its internalcompliance incident reporting procedure and its internal investigationprocedure that required the completion of a potential collateral issues
and violations assessment in conjunction with noncompliance incidentreports and investigations.69
PRINCIPLE 5: ENDORSE AT TOP LEVELS
The highest governing authority within the organization endorses the complianceprogram.
Factors to Consider:(a) Choosing carefully the mode or modes by which a governing body orindividual endorses the organization's compliance policies andcompliance program.Comments:1. A compliance program will usually need to receive visible supportfrom persons at the highest levels of a company. In larger corporations, thisendorsement could come from the board of directors; however, it is notuncommon for the CEO to sign policy statements. In smaller companies, apresident or owner could sign the policy statements.2. Senior corporate managers should periodically reaffirm theircommitment to compliance. The means to do this in a way that will beappreciated as genuine by individual employees will vary from organization toorganization.Example a: One organization used the technique of an annualcompliance commitment certification signed by the chief operatingofficer and designated senior managers.Example b: Another firm incorporated a paragraph on complianceassurance in its annual management message from top executives toemployees.3. Top managers typically signify their interest in specific areas ofcorporate performance by not only describing their interest, but by alsomonitoring that area of performance. In order to clarify the importance ofcompliance in the eyes of senior managers, it may be useful to accompanystatements of interest by those managers with descriptions of how seniormanagers will be monitoring subsequent compliance performance bysubordinates. This type of policy statement might identify specificmechanisms through which senior management will receive complianceperformance information.704. Another way that top managers can demonstrate their interest andcommitment to compliance is to review and approve the specific provisions ofa company's compliance program. Such approvals will be desirable at thehighest corporate levels.Example c: One company's Compliance Program Policy wasapproved and recommended by the presidents of its operatingcompanies and the senior executives of its holding company. It wasthen approved by its Chairman and CEO and officially endorsed by itsBoard of Directors. This approval process matched that used for all ofthat firm's formal company policies.5. The effectiveness of top management communications regardingthe importance of compliance should be an ongoing concern. Firms maydecide to conduct studies to determine if employees believe that complianceis a top management priority. Conducting a survey of employee opinions
about top management desires for compliance is one way of determiningwhether top managers are effectively conveying their commitment tocompliance.(b) Providing for continuing, active participation of the organization'ssenior executives in promoting and overseeing a compliance program.Comments:1. The level of authority of persons monitoring complianceperformance is a critical choice in operating a compliance program. Often,those persons should be at the highest corporate levels.Example a: The highest governing authority in a corporateorganization is the board of directors. The board may wish todesignate a committee of board members with oversight responsibilityfor management's implementation of compliance programs. Boardcommittees are typically delegated the oversight of specific areas forpurposes of working with management, taking actions, reporting to thefull board and recommending full board actions.2. Beyond reviewing and approving the substance of a particularcompliance program, corporate board members should consider themanagement structure that will be used to implement the program. Forexample, a board may wish to appoint a management committee which willreport to the board on the activities undertaken in connection with promoting,monitoring and dealing with violations occurring under the complianceprogram. The management committee may designate varioussubcommittees to both communicate the code to the employees and to71monitor performance under the code to ensure that employees are achievingcompliance goals and objectives.3. A company may wish to designate one senior executive who hasprimary operational responsibility for compliance program results.Example b: In one company, while the firm's compliance policy wassigned by the president of the company, the compliance officer was anExecutive Vice President who actively participated in the company'smanagement. The guidelines and policies were reviewed andapproved by the management. The Audit Committee of the Board ofDirectors received briefings from the compliance officer, who wassometimes but not always a member of the Audit Committee, severaltimes each year.4. In addition to designating a senior executive to oversee compliancematters, a firm may wish to have this individual be one of the company's topin-house attorneys. This ensures that legal expertise is applied to shape theday-to-day operations of the program. However, it may lose certain benefitsusually associated with legal representation (e.g., the confidentiality affordedif the attorney-client privilege is successfully asserted -- see Consideration18(k)) because the attorney involved is acting as a corporate manager, not alawyer. On balance, some firms find attorney/managers to be the bestchoice.Example c: One company's General Counsel and Senior VicePresident was the Compliance Program's Designated Officer. He wasresponsible for its overall implementation. He met on a regular basiswith the company's compliance attorney and Environmental HealthSafety (EHS) director (most of the company's compliance issues werein the EHS area) and on an as-needed basis with the complianceattorney when compliance issues arose. He gave a status report to
the board of directors annually. The chairs of the Audit and EthicsCommittees of the Board of Directors, each an outside director, werebriefed on significant compliance issues when they arose and might, ifthey deemed it appropriate, brief their committees and/or the Board asa whole.725. Top level operational managers can maintain some continuinginvolvement in the implementation of compliance programs without beingactive in these efforts on a day to day basis.Example d: One approach top level managers can take is to endorsea code of conduct or such other medium of conveying the overallobjectives of the organization’s compliance efforts, and furtherdirecting that detailed guidance effectuating the objectives will beprepared and implemented by management as part of theorganization’s compliance program. Top managers can periodicallyassess progress towards these assigned implementation objectives.6. Once a compliance program is fully developed, means can beincluded for periodic reviews by senior executives of the performance of thisprogram.Example e: One possible approach is to use activity reports to providesenior executives with information about the operation of a complianceprogram. Senior executives could also be provided periodic reports ofactivities occurring under a compliance program, especially instancesof noncompliance and remedial actions taken. A regular reportingfeature gives senior executives the opportunity to effect changes atthe highest level of program operations.7. Firms may wish to be particularly careful to scrutinize the scope andeffectiveness of senior executives' efforts to promote compliance andoversee compliance programs. Where a senior executive has participated inor knowingly tolerated an offense, a firm will often lose any possible benefitthat its compliance program might otherwise have afforded in prosecutorialdecisions or sentencing reviews. Hence, efforts to ensure active pursuit ofcompliance by senior managers ought to be no less than, and preferablygreater than, efforts aimed at the employees otherwise involved in theprograms.8. Owners and managers in smaller firms are subject to much morepersonal observation by employees than is true in large companies, thereforetheir actions must not only be legal and ethical, but also appear to be legaland ethical. These owners and managers will wish to be sensitive to theappearance of wrongful actions and take care to explain their actions toemployees in cases where they may be misinterpreted.
PRINCIPLE 6: CREATE COMPLIANCE ACCOUNTABILITYAn effective compliance program establishes accountability for compliancethroughout the organization.73Factors to Consider:(a) Establishing mechanisms that hold all organizational directors, officers,employees and agents accountable for compliance in the course ofactivities that they initiate or oversee.Comments:1. A compliance program can hold individual employees accountablefor actions that subject their organization to liability or other legal risk.
Accountability can be imposed through formal compliance assessments forindividual employees, leading to rewards for performance promotingcompliance and corrective action for compliance failures.2. To ensure that accountability mechanisms apply to all sources ofliability and legal risk to a company, the company may wish to extend someaspects of accountability practices outside of its organization. Actions ofexternal corporate agents or independent contractors can create liability for afirm. A business, therefore, has a strong interest in holding those outsidersaccountable for compliance. Firms may wish to incorporate provisions inrelated contracts requiring compliance by agents and contractors acting forthe firms and providing for reporting and reviews concerning compliance bythese outside parties.3. A first step in holding employees accountable for complianceperformance will often be confirming that the employees have reviewed andunderstood the compliance policies of their employer. This review mayextend to descriptions of each individual's responsibilities for compliancerelatedtasks. To ensure that this type of review of policy and conductrequirements is completed, employees can be required to acknowledge (viasigned statements or other recorded means) that they have reviewed theircompany's compliance program, understand their responsibilities under it,and agree to comply with the program.4. Beyond just formal certification of understanding of complianceduties, employees' operational understanding of compliance requirementscan also be the focus of accountability reviews.Example a: One means to determine if employees have sufficientunderstanding is to conduct tests of their knowledge of necessaryreactions to compliance problems. A more elaborate, but potentiallymore effective, approach is to conduct simulations of conduct raisingsignificant risks of noncompliance and to monitor whether employeesundertake the actions necessary for compliance.745. Managers' expectations that individual employees up and down anemployee chain are personally accountable for compliance in their personalactivities can be demonstrated periodically as corporate activities arecompleted.Example b: One company helped reaffirm that employees wereaccountable for their own compliance by requiring that all employeesexecute a Certification of Compliant Business Practice covering theiractions for the prior year.6. Employee perceptions about managers' accountability forcompliance can affect compliance by the employees as well. An employeewho believes that his or her manager will be held accountable for this type ofperformance knows that the manager will impose similar accountability onsubordinates.Example c: Surveys of anonymous employee opinions about theaccountability of company managers for compliance is one of severalmethods used by one compliance program vice president in his effortsto assess management accountability for compliance.(b) Designing a program with input from knowledgeable individuals aboutlikely gaps in compliance accountability.Comments:1. The identification of company practices raising risks of complianceaccountability gaps sometimes requires a combination of legal and
operational expertise. This means that a wide array of parties may bevaluable contributors to the development of accountability features ofcompliance programs. These individuals include managers, employees,company attorneys, and compliance program consultants.2. Often, the nature of operational activities that give rise tocompliance accountability gaps will only be known to employees undertakingthose activities. Hence, it will often be desirable to involve such employees inthe development and evolution of a compliance program. Involvement ofindividuals at all relevant levels of conduct whose actions are to be heldaccountable for compliance results will help assure that the design of theprogram will be appropriately geared to the realities of the organization.3. The involvement in compliance program design of employees withday-to-day operating experience can also promote later adherence to theprogram. Such involvement lessens the chance that the resulting programwill meet with resistance. Participation increases the sense of the employees'75ownership of the program and, in the end, will increase accountability ofindividuals.4. While the involvement of insiders is essential, sometimes theviewpoints of an outside analyst can help ensure that proper accountabilitychecks are incorporated in compliance systems.Example a: Seeking to incorporate reality-based standards andmechanisms for change adaptation, one company convened anannual one-day, internal compliance practices forum that featured,among a number of agenda items, a voluntary outside guest speakerto comment on lessons learned from actual compliance violationproblems.PRINCIPLE 7: ENSURE PROGRAM FAIRNESSAn effective compliance program is designed to operate fairly and equitably.Factors to Consider:(a) Incorporating practices in a compliance program that treat allemployees fairly and consistently.Comments:1. The fairness of a compliance program will sometimes depend onhow the program is applied across multiple components of an organization.Careful program design will result in discrete audiences receiving effectivecommunication of program features so that the meaning and application ofthe program to those audiences is clear and the chance for ambiguity andconfusion, and consequent noncompliance, is minimized. The result shouldbe that each audience has sufficient appropriate information so that it isproperly prepared to76implement the program, minimizing the risk that a portion of the audience willnot be properly advised and calling into question the fairness of the program.2. To ensure adequate notice, compliance requirements for whichemployees will be accountable can be distributed or communicated to them ina timely, effective manner. It is often desirable for the distribution process tobe auditable and monitored to ensure that all employees have receivedinformation about the compliance program. There can also be a process formonitoring the distribution of a compliance program to new employees.3. The fairness of a program may also turn on advance notice toemployees of key system features, particularly those like disciplinary practicesthat may adversely affect employees. The enforcement of a compliance
program will typically include disciplinary action against employees and thisshould be clearly understood by employees who are governed by theprogram. One way to further this end is for the consequences of variousviolations of compliance program standards, which may include terminationfor cause, to be clearly communicated in the program materials. Such anapproach will both bring home the seriousness of these consequences andminimize the risk that the fairness of the program will be called into question.4. Procedural fairness in dealing with individuals who are suspected ofviolating compliance program standards will often be another key concern.Generally, this type of fairness will be addressed by the procedural features ofan organization's internal response to suspected violations. Organizationsshould react to suspected violations of compliance programs with due regardto the interests of employees. Such interests may include confidentiality, anopportunity to be heard, and a chance to be appropriately advised. Inaddition, the applicability and requirements of grievance procedures definedunder union contracts should be considered.5. The fairness of the treatment of an individual employee in a givencase may depend on that employee's understanding of compliance programprocedures. Persons who are the focus of an inquiry into possiblemisconduct may be given special information about investigation proceduresand related appeals. Alternatively, these persons may be given access toresources that will allow them to learn more about these procedures.77Example a: To ensure that employees understand this process, onecompany assigned an "Employee Advocate" who assisted anemployee being investigated through the process. This helps ensureconsistency and equity in the treatment of employees who aresuspected of compliance program violations, to the benefit of both theemployees and the perceived and actual integrity of the investigativesystem. However, such an approach may not be available inenvironments governed by union contracts. In addition, the personserving as an advocate would need to have sufficient independencefrom management so as to not be perceived as an agent ofmanagement in guiding the employee under scrutiny.6. The enforcement features of a compliance program may havechecks and balances built in to help avoid unreasonable actions on the partof the enforcement personnel.Example b: Proposed discipline might be required to be reviewed byseveral levels of higher management to ensure accountability for theactions taken. In addition, a company's Human ResourcesDepartment might be consulted to assist with such issues.7. Perceptions of fairness among those governed by a complianceprogram can be monitored to ensure that a company does not overlookfairness concerns.Example c: In order to monitor and sample the fairness and equity ofa compliance program, one corporation included a "fair and equitabletreatment" question in its internal audit compliance program audit testmodules. The results were then provided to the firm's corporatecompliance committee.8. Small businesses in which only one owner or manager isresponsible for a compliance program and its enforcement can create anappearance of unfairness because of a lack of checks and balances. Thisproblem may be minimized by using an arbitrator or outside attorney to
determine the facts and recommend any disciplinary action when the owneror manager finds it necessary to charge an employee with violation ofcompliance standards or the law.78(b) Providing mechanisms that guard employees against retaliation forraising compliance issues.Comments:1. Retaliation against employees utilizing company hotlines andsimilar misconduct reporting processes is less likely if the source ofmisconduct reports remains confidential. Consequently, many complianceprograms attempt to protect the confidentiality of whistleblowers' identitieswhere such confidentiality does not preclude the investigation of reportedmisconduct. The anonymity of individuals reporting suspected violations ismaintained in order to encourage communication which might otherwise notoccur for any number of reasons, such as retaliation by the organization,retaliation by the subject, or retaliation by fellow employees. Anonymousreporting may, however, be less effective in enabling the organization toinvestigate suspected violations, because of the lack of specificity of reportsand the lack of opportunity to question the reporting employee.2. A number of methods may be used to maintain the confidentiality ofwhistleblower identities.Example a: In one highly protective compliance program, numeroussteps were taken to ensure that the identity of employees askingquestions or raising concerns were safeguarded to every extentpossible. Employees could also raise concerns anonymously.Telephones used for the company hotline were not equipped withtrace features, answering machines for recorded reports or questionswere locked away, and access to these machines and other hotlinerecords was closely constrained. Retained records were limited tothose that were required to assure responsiveness. Only records thatwere scrubbed of names and other identifying marks were provided tocompany auditors who reviewed the effectiveness of the hotlineprogram. Any external communications regarding investigations werecontrolled by company attorneys.3. Careful monitoring of corporate responses to perceived violationsof compliance program standards can also help deter retaliation againstwhistleblowers. Hence, many firms include as part of their complianceprograms processes to monitor the response and any corrective actionstaken with respect to reports of noncompliance with the organizations'compliance programs. This sort of monitoring should provide accountabilityfor those dealing with instances of noncompliance which will help to ensurethat retaliatory actions are not taken against employees reporting instances ofnoncompliance. Further, this type of monitoring process should help toensure that corrective actions are taken to prevent instances of79noncompliance from recurring and to ensure that the response taken was theappropriate response due to the nature of the noncompliance. See alsoConsiderations 17(d), 18(c), (f) & (g).4. Some companies complete a further check on the success of theiranti-retaliation practices by making a follow-up contact with a whistleblower tosee if there has been any retaliation.5. Providing an assurance of confidentiality may be particularly difficultin small firms where the owner or manager who is the compliance officer
personally knows employees. Even anonymous "hotlines" may not beeffective because employees fear the owner or manager will recognize theirvoices. To overcome this problem, the owner or manager can repeatedlystate his or her desire to receive tips and complaints with a guarantee of noretaliation, and should provide multiple methods of whistleblowing, includinghotlines, mail, and suggestion boxes.STRUCTURE AND CONTROLPRINCIPLE 8: MAINTAIN HIGH-LEVEL OVERSIGHTSpecific high-level personnel in an organization are responsible for theadministration and oversight of the compliance program.Factors to Consider:(a) Having an organizational compliance officer take "ownership" of thecompliance function in the sense of having overall responsibility forinitiating, coordinating and reviewing organizational compliance efforts.Comments:1. If management responsibility for the program is too diffused amongall managers, there is a risk that no one manager will take on the role ofadvocating ethical and compliance-oriented policies and conduct.80Example a: One method to make it more likely that the complianceofficer will take "ownership" of the compliance program is to link thecompliance officer's job performance to incentives. A complianceofficer's performance evaluations might include an examination of theofficer's compliance activities, and the officer may be requiredperiodically to sign a written assurance of compliance.2. Specific personnel within the organization should have overallresponsibility for managing and overseeing the overall compliance program.In some organizations, it may be desirable to give specific compliancefunctions to more than one individual.Example b: One organization followed both a "single" personapproach and a "multiple" person approach. The organization had afull time "Compliance Officer"; however, that person did not performthe compliance function alone. A variety of constituencies in theorganization also played major roles, including, for example,management, auditors, security, the Ethics Department, and variouscompany attorneys.Example c: The Compliance Officer in one company had a group ofsubordinates with the group members holding responsibility for day-todaymanagement of different components of the company'scompliance program.3. A compliance program should generally be viewed as an importantmanagement system by both those in charge of the program and those whoare subject to the program. Absent clear responsibility and accountability forthe operation of a compliance program, completion of compliance tasks andmonitoring will take second place to other day-to-day management andoperating tasks. Consequently, it is important to designate a party who isoperationally responsible for a company's compliance program, much in thesame way that a firm would designate a manager to be responsible forproduct quality or workplace safety. It may be useful for the form andsubstance of this designation to mirror other assignments of importantmanagement tasks within the same organization. Thus, a useful test for thesufficiency of compliance program responsibility will often be whether the leveland scope of responsibility and managerial clout would be deemed sufficient
if other critical functions like product quality or worker safety were involved.81(b) Considering whether the designation of one person with primaryresponsibility for management of compliance practices will lead othersin the organization to conclude that compliance is only the complianceofficer's job.Comments:1. It is normally valuable for a company to pursue a balance betweenhaving one person or group take "ownership" of the program and havingwidespread accountability for compliance among all employees.Example a: One company pursued the goal of widespreadaccountability by conducting audits of managers and supervisors withdetailed, specific questions about the individuals’ discussion ofcorporate policy and ethics with subordinates, reporting of wrongdoing,and observing any unethical or illegal actions.2. It will often be useful for a compliance manager to haveresponsibility for aggressively developing, implementing and overseeingcompliance programs. All other managers, if not all employees, can becharged with performing their normal duties in a fashion supportive ofcompliance. Company managers, if not all employees, can be made awarethat part of their performance evaluations will depend upon how well theyparticipate in and support their organization's compliance program, and canbe constantly reminded and educated concerning their compliance duties.3. There is a balance between delegating the practices andprocedures of a compliance program to others throughout the organization,and having the central, high-level authority required for administration of aneffective program. It must be made clear to all managers and employees thatthe program is administered by a specific, top-level manager with full authoritywho reports directly to the company's Board of Directors or Chief ExecutiveOfficer.82(c) Insuring that the top organizational executive with responsibility for acompliance program has the degree of clout necessary to make theprogram effective.Comments:1. It will typically be useful for a compliance program manager to havethe power and prestige necessary to obtain the attention of other managers.In many companies, this will require that the compliance manager bedesignated as a Vice-President or Executive Vice-President, and that othermanagers understand that the compliance manager has direct access to theCEO and Board of Directors.Example a: The compliance officer of one company was the executivevice president. That person received periodic updates on the status ofcompliance from the manager of corporate compliance and eachmanager of various compliance sections, such as EnvironmentalAffairs, Risk Management, Security, Compliance AdministrationActivities, etc.Example b: One company designated a compliance officer below thesenior officer level, while involving several senior level officers in thecompliance effort.2. Sometimes the CEO is the only person with sufficient clout tooversee compliance activities.Example c: A company with 125 employees whose CEO/owner
usually conducted "important" business himself found that delegatingcompliance activities to one of four other managers caused employeesto believe the company was not serious about its compliance program.Only when the CEO took personal responsibility was the programeffective.3. Evidence of a CEO's lack of strong commitment toward acompliance program may destroy a compliance program manager's clout.Example d: When a business professor surveyed the managers andsupervisors in a large international company, she found that eachmanager and supervisor was constantly aware of worker safety issuesand strived to meet the company safety goals, but seldom followed thecompany's official equal employment policies. The difference inattitude and compliance resulted from the CEO's personal interestsand activities. As a former medic in the Army and active Red Crossvolunteer, he conveyed a sense of interest and urgency concerning83safety issues. However, he did not express personal interest in equalemployment issues.4. In order for the person in charge of a compliance program to havesufficient managerial authority to make the program effective, the complianceprogram manager will often need to compel operating managers to discloseinformation about their present and anticipated activities and to challengethose activities where they appear to be unlawful or to involve unjustified legalrisks.Example e: In order to raise those types of issues, it will often bedesirable for a compliance program manager to occupy a managerialpost at a superior level to the managers of the operations governed bythe program.Example f: Alternatively, the compliance program manager shouldreport to an executive who is a superior of the operations governed bythe program. In the latter type of arrangement, in order for thecompliance program manager to perform his job properly, it will becritical for the manager to have the ear and confidence of her superior.5. A publicly traded company may have the person responsible for thecompliance program report to an independent committee of the Board ofDirectors to give the compliance program manager added clout andindependence. This may be done by a board resolution that creates a formalrecord of the program's status. The board committee can also requireperiodic reports on the program's progress.(d) Determining the compliance officer's proper level of authority andaccess to the organization's governance authorities in order to ensureboth that the officer is able to exert effective control over compliancerelatedmatters and that compliance management is perceived as animportant activity by other organization members.Comments:1. Specifying that a compliance manager will report to the highestauthority in a company can enhance the individual's authority. Reporting tothe highest authority in a corporation will be critical in the event thatnoncompliance becomes the subject of internal investigation or self-reportingto public officials.Example a: Clarifying a compliance manager's authority can beaccomplished by having the compliance manager reports directly to a84
company's Chief Executive Officer, Board of Directors or a BoardCommittee.Example b: Another approach used by some companies is to appointthe compliance officer to the organization's executive board.2. A compliance officer's access to top corporate officials candetermine the effectiveness of that officer. Where she has regular access totop operating officials, a compliance officer can be more effective in obtainingcooperation with compliance studies and in pursuing changes in corporateoperations when compliance problems are detected. Furthermore, throughregular interactions with top officials, compliance officers can establish usefulbusiness relationships with key business leaders. Such relationships can becritical in ensuring a rapid, smooth, and effective response once a seriousincident of corporate misconduct is detected.3. Smaller companies without a General Counsel's office shouldconsider any high-level staff officer, a comptroller, or a personnel manager,who reports directly to the CEO as overseer of the compliance program.(e) Selecting a compliance officer with personal characteristics that willmake the individual effective in leading and promoting organizationalcompliance efforts.Comments:1. A compliance manager's reputation for integrity, ability to forgerelationships of trust, and personal credibility are of paramount importance toa successful compliance program.Example a: Companies that will add compliance responsibilities to thepre-existing responsibilities of a manager might choose a top-levelmanager who is trusted and admired by other managers andemployees. Other companies appointing a full-time compliancemanager might do the same when appointing a current manager tothe new position of compliance manager.85Example b: Companies hiring a compliance manager from the outsideshould engage in an extensive background check to ensure theindividual has the qualities of integrity, credibility, and trust.2. A compliance manager's ability and reputation for following throughon commitments is also important. A good compliance manager will generallyneed to be willing and able to act upon employee complaints, and to act incases when possible wrongdoing is suspected.Example c: A university disability rights compliance officer becameineffective when students and employees learned that suggestionsand complaints rarely resulted in any investigation or other action.3. A compliance manager will generally need the ability and authorityto make unpopular decisions. Enforcing compliance guidelines may involvenegative action against powerful, higher-level managers, and may involveorders to stop ingrained and profitable activities.Example d: If a compliance manager learns, for instance, thatsalespersons are spending large sums of money to "wine and dine"military purchasing agents, taking action to curtail the practice may beresisted not only because the practice is successful in obtainingcontracts, but also because the current Vice-President of Salesconsiders any suggested changes as a personal assault on his or herhonor or business ethics. The compliance manager must, however,have the ability to take action if the program is to be successful.4. The personal characteristics of a good compliance program
manager mirror the desirable characteristics of a good manager of anycorporate activity. Desirable characteristics include the ability to set goals,translate those into specific program activities, motivate subordinates andothers who must undertake compliance tasks, monitor progress in programactivities, and make corrections where program goals are not being attained.A firm may wish to ensure that its compliance program manager has thosecapabilities by choosing an experienced manager who has demonstratedsuch qualities in connection with management of other corporate functions.5. Past involvement in or toleration of illegal activities or breaches ofthe company's compliance program should normally disqualify an individualfrom a subsequent role as the manager of the company's complianceprogram. Persons who are subject to the program will not take it seriously ifthey believe that the person in charge does not value compliance anddemonstrate that interest in his or her own conduct.6. The reputation of a compliance program manager may be86particularly critical in certain functions. For example, if an organization uses ahotline answered by its compliance manager, the reputation and integrity ofthe manager may be a deciding factor in the success of the hotline.(f) Determining what functions, if any, the compliance officer shouldperform besides management and oversight of compliance activities.Comments:1. Limiting a manager to compliance activities allows the person todevote his or her primary attention to this task. If the individual has otherduties, such as a Financial Vice-President or corporate attorney, the person'sother duties may involve specific activities with deadlines to meet, causingprocrastination in acting on compliance issues. However, steps may beneeded to avoid having a full-time compliance officer marginalized andexcluded from the real power in an organization.Example a: Companies frequently make the error of assigningcompliance program responsibility to a manager who is alreadyoverburdened with other tasks. One solution to this problem is toappoint a high-level compliance officer with substantial managementclout and other duties beyond overseeing compliance, and to providethat official with a full-time assistant to aid with compliance matters.2. Adding compliance duties to the pre-existing functional duties of amanager may result in giving the individual more power, resources, andinclusion in the real decision-making executive meetings.Example b: Some organizations have designated their chief financialofficer as the compliance manager because this person has controlover the finances, and often manages the auditing and securityfunctions of the organization.3. Smaller organizations that cannot afford to have a full-timecompliance manager may assign compliance duties to a current manager orofficer. To effectively conduct the compliance program, it may be useful forthe company to specify the amount or percentage of time the manager willspend on compliance activities, the percentage of any performanceevaluation that will depend on his or her compliance activities, and thecompliance activities' budget and staff assistants, even if part-time, that themanager will have available.4. If a compliance manager has other responsibilities, an organizationmay need to take appropriate actions to prevent a conflict of interest.87
Example c: If a financial vice-president is appointed to be thecompliance manager, the organization should consider whetheranother manager should oversee compliance in the financedepartment.5. A firm may wish to give its compliance program manager furtherduties because the additional duties mesh well with activities necessary tooperate a compliance program. The manager's additional tasks may be onesthat can be efficiently carried out in conjunction with compliance programactivities.Example d: A firm may wish to assign responsibilities for complianceprograms to the company's comptroller if compliance monitoring of thefirm can be efficiently performed by inside auditors in conjunction withtraditional financial auditing.6. Compliance tasks may also be usefully linked to other duties wherethe purpose of the linkage is to place a party with substantial managementauthority and status in charge of compliance activities.Example e: Some organizations have designated their Chief FinancialOfficer as their compliance program manager. This choice establishesthe compliance program manager as a person with substantialinstitutional clout who can react effectively to compliance problems.88(g) Making sure that a compliance officer has or can draw upon the types ofexpertise that are necessary to operate the compliance programeffectively.Comments:1. Various types of expertise may be useful in overseeing complianceprograms. Often a company's goals in operating a compliance program willdictate the type of expertise in a compliance manager that will best suit thecompany's needs.Example a: Some companies have appointed attorneys ascompliance managers because the basic thrust of the FederalSentencing Guidelines for Organizations is on legal compliance.Example b: Other companies have used accountants because of theirexperience in conducting audits.Example c: Still other companies have chosen in-house managerswith lengthy in-house experience because these managers know howthe company really operates. In-house managers also know how toachieve effective corporate change.Example d: A few companies have hired experienced managers fromoutside their corporations in order to inject new ideas into acompliance program.2. A specific area of education or expertise does not ensure that oneis an effective compliance manager.Example e: A mid-sized manufacturing firm transferred an attorneyfrom the legal counsel's office to be the corporation's majorcompliance manager. The results were disastrous. The attorneywrote a compliance manual that, while legally correct, was totallyimpractical. As a result, managers and supervisors ignored thecompliance rules.3. It will desirable for the party in charge of a compliance program tobe well informed concerning the business operations covered by theprogram, sources of information about those operations for purposes ofcompliance monitoring, legal requirements that those operations must meet,
and means to instruct and motivate employees to take actions needed tomeet the relevant requirements. A compliance manager need not be anexpert in all these aspects of a compliance program if the manager hasaccess to others with the necessary expertise. A compliance manager may89benefit from direct access to company attorneys, auditors, environmentalengineers, health and safety personnel, experts in communication (videoproduction, graphic design, etc.), and other specialists with expertise bearingon compliance issues.Example f: A mid-sized service company promoted a long-timeadministrative assistant to the CEO to the position of Vice President ofEthics and Legal Compliance. The manager had experience in how toget things done within the company, a reputation as being close to theCEO, and good organizational and communications skills -- includingexperience in developing and disseminating corporate policies. Shewas given strong support in areas beyond her expertise such asdetermining legal requirements.4. An important consideration in choosing a compliance manager maybe operational expertise regarding management and the company's separatefacilities or divisions. Adopting compliance standards may be effectivelyaccomplished by a compliance manager hired from without the company, butimplementing the standards requires knowledge of how the companyoperates. If an outside compliance manager is hired, companies shouldconsider assigning an assistant compliance manager who is familiar with thecompany's procedures.5. In some instances, the need for legal expertise on the part of acompliance manager may indicate that a corporate or division attorney is theproper party to oversee a compliance program. Selecting an attorney for thispost helps ensure that the full range and complexity of governing legalrequirements are taken into account in defining and operating a complianceprogram. In addition, an attorney can often ensure that corporate complianceis assessed in terms of how a company would fair in a court or administrativeproceeding.6. Despite the advantages just mentioned, there are several reasonswhy an attorney may not be the best type of compliance program manager.First, an attorney may lack the managerial skills to conduct complianceprogram activities. Second, an attorney (either inside or outside counsel)may lack sufficient respect by operating managers and employees to make acompliance program work. Third, by crossing the line into management, anattorney and her firm may forfeit attorney-client privilege protections thatmight otherwise have applied to communications with counsel and relatedevaluations. A90better choice may be to construct a compliance program to involve attorneys-- but not be managed by those attorneys -- and thereby maintain theattorney-client privilege.(h) Identifying resources, support and infrastructure needed by thecompliance officer and others to pursue compliance effectively.Comments:1. Every position within the company that has people reporting to it orhas responsibility for contracting with vendors or hiring independentcontractors could have as one of its duties the prevention and detection ofconduct which violates the company's standards and procedures regarding
compliance with the laws that are most pertinent to the position's businesspurpose. That could create an infrastructure that leads all the way up to thepresident and a network for dialogue among people with compliance-relatedduties all the way to the chief compliance officer. Ultimately, that is a sharingof responsibility for compliance among all supervisory and/or purchasingpersonnel of the company.2. The resources -- expertise, program ideas, auditing methods, etc. --necessary for successful compliance program operations may be availablein-house, or from outside sources. An organization should considersurveying its present management for individuals who have any knowledge ofprograms conducted by other companies, journal articles and booksconcerning business ethics, corporate compliance with the FederalSentencing Guidelines for Organizations, or other relevant knowledge orexperience. Outside expertise can include attorneys and consulting firmsspecializing in compliance programs, professional books on compliance andnon-financial auditing, the National Center for Preventive Law, and past andcurrent issues of its journal -- the Preventive Law Reporter.3. Smaller companies without in-house attorneys or auditing staff mayconsider engaging a private attorney to develop, or assist in developing, acompliance program. The outside attorney might also be used to periodicallyupdate the program or conduct compliance audits. However, it is important tofind an attorney who specializes in corporate compliance programs andaudits. Many attorneys do not have the expertise, nor a preventive lawapproach, to giving advice about compliance systems.914. An adequate budget and staff, commensurate with the size andactivities of the organization, often is vital to an effective program. It may beuseful to include compliance program expenses as a line item in companybudgets, thereby ensuring that sufficient resources for compliance activitiesare considered and allocated each year. Appointment of a compliancemanager without any resources to allow the manager to effectively carry outthe compliance program may be seen by judges as an effort to mislead thecourt. That can have a worse effect on criminal sentencing than having noprogram at all.5. Some functions of the compliance manager or staff may beaccomplished by using existing organizational policies, practices andprocedures. For instance, communications to employees can beaccomplished by using the same resources the organization uses forcommunicating with managers and employees on other matters. Thedecision whether or not to use outside services will often depend on theavailability of existing personnel who can add compliance activities to theirexisting workloads.6. The effectiveness of a compliance program manager willsometimes turn on the resources that he or she can bring to bear oncompliance reviews and responses to compliance problems. To the extentthat resource needs can be anticipated, these resources and their availabilityto the compliance program manager should be planned out in advance.Consequently, a company may want to plan for resources to be applied tomonitoring and reacting to foreseeable types of offenses in the corporation.The tools and skills needed may be available in-house, or it may benecessary to obtain them outside the company.7. Companies may use committees either for the compliance officerfunction or to support the compliance officer. These can bring together the
expertise and resources of important departments, such as legal, auditing,security and personnel.8. One way that a company can ensure that adequate resources areallocated to compliance program activities is to include a line item for suchactivities in corporate budgets. In addition to regularizing the provision forcompliance activities, this approach can encourage periodic attention tochanging compliance program needs as successive budgets are formatted.92PRINCIPLE 9: ASSIGN INDIVIDUAL RESPONSIBILITYA compliance program has the support of senior management of the organization.Each officer, manager and employee is responsible for supporting and complyingwith the compliance program's standards and procedures.Factors to Consider:(a) Having participation in and support for the program throughout theorganization and not limited to the compliance officer.Comments:1. Participation throughout an organization means attention tocompliance in operational practices at every management level. In the midstof other performance pressures that are typical of middle managementenvironments, corporate managers at middle levels in corporate hierarchiesmay only address compliance concerns and translate them into operationaldirections to their subordinates if the managers know that these complianceorientedactivities will be monitored by higher level management.Example a: To encourage company-wide compliance, one largecorporation conducted audits of management performance in whicheach manager was specifically asked to produce his or her copy ofbasic company policies and to explain how the manager informedemployees of the policies.2. To maximize the effectiveness of a compliance program, corporatemanagers will often need to remember that compliance, like other aspects ofcorporate performance, is ultimately a responsibility, in part, of corporate linemanagers who control day-to-day business operations. The essentialobjectives of a compliance program include ensuring that line managers giveattention to compliance matters in their oversight of corporate operations andthat compliance efforts are integrated with other day-to-day managementpractices and procedures. Hence, a company may wish to specify in itscompliance conduct code that each corporate manager and employee isresponsible for compliance in corporate activities under that individual'scontrol. Periodic compliance reviews of actions by individual employees andmanagers should be based on this same concept of individual responsibility.93(b) Considering the consistency of the incentive, appraisal and recognitionsystems used within the organization with the idea that compliance is awidespread responsibility.Comments:1. Certain types of employee incentive schemes can increase thelikelihood of offenses by corporate employees. For example, a systemproviding for large bonuses or compensation increases for the attainment ofsales or production quotas can encourage illegal actions to meet the quotas.Such incentives are particularly strong where the quotas needed to obtainsignificant rewards are extremely difficult or impossible to attain throughlegitimate means. That may be the case because the incentives wereunreasonable from the outset or because a company did not reduce them
when surrounding conditions and opportunities for attainment of the quotaschanged. In general, the stronger the performance-based incentives are fora position, the more substantial the controls and monitoring of impropermeans of performance should be.Example a: To reduce the possibility that performance-basedincentives may promote illegal actions, firms may wish to review theirperformance-based incentive schemes to determine if assignedquotas are ones that can be obtained through diligent, but lawful effort.Example b: In addition, where an employee has attained unusuallyhigh levels of performance, a firm may wish to review the methodswhereby the employee accomplished this atypical productivity.2. Performance-based incentive schemes can play a positive role incompliance where positive compensation or advancement rewards are tied tothe completion of compliance-related tasks. Rewards for excellence incompliance activities (to the extent that such excellence can be measured)will be particularly effective in encouraging increased compliance efforts.94(c) Examining the variety of ways senior management can send themessage that it considers a specific compliance behavior or objectiveto be high priority.Comments:1. Employees are aware of the manner in which managers treatmatters that the managers believe are important. If managers regardcompliance matters as unimportant, employees may come to believe thatcompliance may be overlooked in a crunch. Therefore, a company shouldcompare its treatment of compliance issues to its handling of other criticalperformance issues.2. As part of sending the message to employees that compliance is ahigh priority, organizations may want to assess whether employees arereceiving and understanding the message.Example a: Some companies have surveyed their employees toassess employees' beliefs about management's attitudes towardscompliance. Such surveys can be useful in determining whetheremployees find a compliance program to be credible, and whetheremployees are inclined to pursue compliance as a critical concern oftheir superiors. The surveys also can ascertain whether employeesunderstand the legal requirements affecting their jobs and theoperational steps necessary to satisfy those requirements.(d) Determining the degree to which the monitoring of subordinates'compliance or ethical practices is part of day-to-day management.Comments:1. Compliance is ultimately an operational feature of corporatebusiness operations. An effective compliance program will ensure thatcompliance considerations are addressed in connection with everydaybusiness activities. In order to ensure that this is the case, a firm may wish todetermine if its compliance efforts meet following tests:(i) Performance demands imposed by the system are wellunderstood and generally met by corporate employees;(ii) The performance required by the system is effective insatisfying legal requirements; and95(iii) The system fosters an operational emphasis on preventinglegal offenses rather than just on detecting offenses after the
fact.(e) Determining the compliance roles of organizational agents and furtherparticipants in the organization's business activities other thanemployees.Comments:1. In some contexts, corporations are responsible for compliance bytheir outside agents and contractors. In order to determine what actions ofagents and contractors may lead to corporate liability, firms may wish toassess the legal requirements that govern the activities of their agents andcontractors (particularly strict liability standards) and identify the mechanismsnecessary to determine if agents and contractors are meeting thoserequirements.Example a: Where a firm is subject to strict liability for false orinaccurate product labeling and the firm enters into subcontractsproviding for the labeling of its products by another concern, thecontracting party can monitor and review the labeling activities of thesubcontractor. That degree of concern over that specific aspect of thesubcontractor's activities will be advisable since the contracting partywill be liable for the subcontractor's mistakes. Ethical considerationsand public opinion regarding the proper scope of corporateresponsibility for supplier actions may justify broader controls oversupplier conduct than just those necessary to prevent liability.Example b: One company sent a copy of its Code of Ethics to itsactive vendors with a letter from the company's Compliance Officerexplaining what the firm expect of its vendors and what the vendorscould expect from the company. The firm also sent the vendors acopy of the corporate compliance staffs' phone numbers so thevendors could report any inappropriate behavior.2. Another way that concerns can become liable for illegal activities bytheir subcontractors is through instructions by a contracting firm thateffectively call for or authorize illegal activities in carrying out a subcontract.Firms should be particularly attentive to instructions to agents that might beinterpreted as authorizations to violate laws. Firms should also avoidtolerating known violations by subcontractors in the course of work under acompany contract. Such toleration could be interpreted as ratification of theillegal conduct, resulting in the contracting firm being deemed to haveapproved subsequent misconduct of the same sort.963. The CEO or other top officer of a smaller company without writtencodes of ethics or compliance standards can write letters to outside agentsand contractors expressing the requirement that all laws and regulatory rulesbe followed. The letter can add a listing of important rules and regulationsaffecting the business.(f) Examining the express and implied messages that managers give toemployees about meeting the organization's compliance goals.Comments:1. Since compliance is a responsibility of corporate employees,corporate managers should generally give compliance policies, instructions,and problems the same sorts of attention that those managers give otherimportant operational topics. Thus, in the day-to-day operation of thecorporation, line managers, including the executive and operating officers atall levels, can usefully direct their attention, through the managementmechanisms utilized throughout the organization (e.g., objective setting,
progress reports, operating performance reviews, departmental meetings), tomeasuring, maintaining and improving the organization's compliance.2. If an organization wants compliance to be perceived by employeesas being important, compliance monitoring and review will generally need tobe a regular activity.Example a: Line managers might routinely review the compliancestatus of operations under their control through evaluations of anycompliance monitoring and auditing reports addressing the relevantoperations, or through direct review of those operations if compliancereports are not available.3. Annual appraisals of a manager's performance may call for anevaluation of substantive compliance, e.g., did the person participate in ortolerate any misconduct? Annual appraisals may also measure a manager'sperformance on the procedures of a compliance program, e.g., did themanager obtain training for the staff, create an atmosphere of opencommunication, provide a role model, raise ethical and compliance questions,and work with the legal department?4. Smaller companies and others that do not conduct formalperformance appraisals should ensure that managers and employees knowthey are responsible for legal compliance by orally reminding individuals andexplaining that compliance is a factor in determining raises and promotions.This should also be done when notifying individuals of a pay change orpromotion.97PRINCIPLE 10: DELEGATE AUTHORITY RESPONSIBLYThe organization exercises due diligence to prevent the delegation of substantialdiscretionary authority to persons having a propensity to engage in illegal activities.Factors to Consider:(a) Exercising caution in employing anyone who is under indictment,convicted, or listed as debarred, suspended or otherwise ineligible forfederal programs, except where such employment is approved by asenior executive and the reasons for the employment are recorded inwriting.Comments:1. A company policy of not knowingly employing anyone indicted orconvicted of a crime may run afoul of laws of certain jurisdictions, the intent ofwhich is to remove senseless discrimination against the employment ofpersons previously accused or convicted of one or more criminal offenses.Consider such practices, therefore, on a case-by-case basis. A betterpractice may be to treat a past indictment or conviction as the basis for furtherinvestigation to determine if the circumstances leading to the indictment orconviction bear on job qualifications.(b) Carrying out this policy through reasonable inquiries into the status ofany potential employee or consultant.Comments:1. Some companies may perform compliance-related backgroundchecks on candidates for most or all positions. Even if a person is hired intoa position without discretionary authority, this approach helps deal with thepossibility that the person will subsequently be promoted or transferred intosuch a position.982. Organizations may wish to consider and limit the sources that willbe checked in determining the compliance propensities of individuals, the
questions that will be asked and the period of time that background checksshould cover. They may also wish to consider how to evaluate informationabout past compliance problems of hiring candidates and what mechanismsto institute to ensure that serious compliance issues that come to theattention of corporate personnel in connection with hiring candidates are notoverlooked.3. Reasonable inquiry into an employee's law compliance backgroundmay include requesting certain information on employment application forms.Example a: One organization, requested an applicant to state whetheror not he or she had been convicted of a crime (misdemeanor offelony) within a specified time period and, if the candidate respondedaffirmatively, to describe the nature, location and date of the convictionand related conduct.4. Information that is supplied by candidates on employmentapplications and which may be subject to verification include criminal,employment and education records. The search extends, at a minimum, tosources covering the applicant's county of work and residence, and isbroadened on the basis of the level and type of position being filled.Fingerprinting, not permissible in all jurisdictions, is another option employedselectively, due either to the prescriptions of a regulatory body or to the typeof industry/type of work being performed.5. Access to law compliance information acquired from employmentapplicants can be limited on a "need to know" basis. For example, suchaccess might be provided only to a hiring manager, the company's seniorhuman resources specialists, and the company's compliance officer. Whencriminal activity is present in a report, candidates may be disqualified,providing this is not held to be discriminatory under applicable statutes.Candidates will also be disqualified if the activity was not listed on theemployment application, using that lack of disclosure as the reason fordisqualification.6. The relevance (or lack of) a conviction and the type of discretionaryauthority has bearing on the decision to disqualify candidates or terminateemployees.997. Employees can be required, during their tenure, to inform theiremployer of any convictions (felony or misdemeanor), governmentdebarments, or professional disqualifications related to their positions, withterminations being one likely outcome, dependent on the relevance of theevent to the individuals' job responsibilities.8. All employees, full-time permanent and part-time, are screened byone company for drug usage. Background checks are made with previousemployers and school attendance.(c) Suspending indicted employees, agents, or consultants frominvolvement in company activities until their cases are resolved.(d) Suspending employees or consultants who are involved in debarmentproceedings from further company activities until the debarments areresolved.(e) Discharging any employee who is convicted or debarred based on jobrelatedconduct.(f) Exercising care in hiring processes to investigate and considerevidence of past misconduct that is relevant to the position beingsought.(g) Exercising care in promotions and internal transfers to consider an
individual employee's past job performance and internal reputationconcerning compliance and the employee's adherence to theorganization's compliance program.Comments:1. Where a present employee has demonstrated a lack of due caretowards compliance (through such actions as violations of laws, breaches ofcompany compliance program requirements, or indicated willingness toengage in such violations or breaches), this information should be consideredin any subsequent promotion and transfer decisions. In most instances,unless there is clear evidence to believe that the prior unacceptable conductwill not continue, these types of prior failures to promote compliance mayjustify the dismissal of the employee or disqualify the individual frompromotions or transfers into positions of greater corporate authority.1002. Background checks on employees promoted or internallytransferred into positions capable of exercising substantial discretionaryauthority may be particularly important components of compliance programs.These checks are possible means to respond to the requirement of theFederal Sentencing Guidelines for Organizations that, as part of an effectivecompliance program, corporations include steps to exclude from substantialauthority personnel those individuals with a "propensity" toward engaging inillegal activities. For these purposes, substantial authority personnel arethose individuals:"who have substantial control over the organization or who have asubstantial role in the making of policy within the organization. Theterm includes: a director; an executive officer; an individual in chargeof a major business or functional unit of the organization, such assales, administration, or finance; and an individual with a substantialownership interest." Federal Sentencing Guidelines for Organizations§ 8A1.2 (Application Note 3(c)).While a "propensity" to engage in illegal activities is not defined in theGuidelines, we take this to mean a clear, demonstrated likelihood of futureillegal conduct based on conduct or compliance-related statements of thecandidate. A likelihood of illegal conduct may be present where a candidateevidences a willingness to engage in or tolerate illegal actions.3. There are various procedures that organizations can employ toconsider compliance-related information in hiring decisions. However,disqualification of individuals for employment based on past criminalconvictions will typically only be desirable where there is a direct relationshipbetween the offenses and the employment being sought.Example a: An employment application can request permission toobtain a consumer report on the applicant. Other sources ofcompliance-related information might also be checked with theapplicant's permission. Access to derogatory information can belimited to a "need to know" basis to protect the privacy of individuals.101(h) Identifying positions that may provide opportunities for violations or actas breeding grounds for violations and more carefully screeningcandidates for those positions with respect to compliance backgroundsand support.Comments:1. Certain types of organizational positions may entail especially highrisks of illegal conduct. Such positions are characterized by broad,
unreviewed discretion over corporate activities, control of extensive corporateresources, oversight of highly regulated corporate activities, responsibility forcorporate tasks with extreme public risks, or some combination of thesefactors. Firms may wish to identify such positions to ensure that parties whoare put into those settings are carefully screened for past complianceproblems. Identifying these positions will also allow firms to consider whetherspecial compliance monitoring or reviews should apply to the positions toreduce risks of undetected offenses.2. Given that these individuals have opportunities to initiate or tolerateviolations of particularly broad scope and significance, a firm may wish to giveparticular attention to identify persons in positions with substantialdiscretionary authority, as opposed to more broadly identifying any or allpositions posing opportunities for violations. Although many rank and filepositions pose the opportunity to commit violations of law (for example,anyone in an asset custodial role,) they do not necessarily possess"substantial discretionary authority." Consequently, asking each unit in anorganization to identify those positions containing substantial discretionaryauthority and using the results to determine which applicants should bescrutinized through compliance background screening policy is one way ofgiving special attention to the characteristics of persons who will holdsubstantial discretionary authority while recognizing that logistical limitationsmay preclude the use of such investigations in all cases.(i) Addressing the risk of discriminatory personnel practices and invasionsof privacy when the propensity of individuals to engage in illegal actionsis considered in making personnel decisions.Comments:1. As described above, Federal Sentencing Guidelines forOrganizations require that an effective compliance program include steps toidentify persons with a "propensity" to engage in illegal conduct and toexclude such individuals from positions possessing substantial discretionaryauthority. See Federal Sentencing Guidelines for Organizations § 8A1.2(Application Notes 3(c) & 3(k)(3)). Identifying persons with a "propensity" to102engage in illegal conduct may entail differing assessments by differentcorporate managers who must make the determination. The possibility thatthese evaluations might be made in a discriminatory fashion can beminimized in two ways. First, firms can identify the types of evidence of pastcompliance problems that managers should consider in determining whethera given individual should be disqualified from advancement due to a"propensity" to disregard law compliance. Second, firms can establish reviewprocedures whereby evaluations that a party should not advance for thisreason are reviewed both for consistency with other similar evaluations andfor substantive soundness.PRINCIPLE 11: ENFORCE INTERNALLYThe organization takes reasonable steps to achieve compliance with its standardsand the law.Factors to Consider:(a) Using evaluative and reporting systems to determine the effectivenessof compliance efforts and to deter and detect violations.Comments:1. Obtaining feedback on how a compliance program is doing is oftenan important step in making the program effective. Evaluative techniquesinclude auditing, monitoring, self-assessments, and any other system to
measure results and to understand what is happening in the organization.2. Corporate compliance evaluation mechanisms can take manyforms. In a small firm, compliance evaluations may entail little more thanregular attention by line managers to compliance matters in the course ofday-to-day managerial oversight of subordinates. Such a complianceinspection process for a small firm may rely on management personnel,operations personnel or others to assume compliance support responsibilitiesin addition to their routine duties. Such a compliance program will have lesssophisticated systems for establishing compliance procedures, auditing andtracking compliance issues, training employees and carrying out the otherprogrammatic components of their compliance effort than in a large firm.Example a: In a very small business, the manager or proprietor, asopposed to independent compliance personnel, might perform routineaudits with a simple checklist, train employees through informal staffmeetings, and perform compliance monitoring through daily"walk-arounds" or continuous observation while managing thebusiness.1033. At an opposite extreme, more extensive and systematiccompliance monitoring and evaluation methods may be appropriate in largerorganizations. Extensive compliance monitoring will be justified wherecompliance risks are frequently encountered or where past experiencesuggests that a high level of monitoring is necessary to deter or detect illegalconduct.4. Whatever compliance evaluation mechanisms an organizationadopts, it will need to support those mechanisms with sufficient authority,personnel and other resources. Assessments of these features shouldaccompany the establishment of any compliance monitoring program.Reassessments of the sufficiency of these types of support should be part ofthe corporate follow-up to any incident of corporate crime. A particularlythorough review will be warranted in cases where an offense was not initiallydetected through internal processes but instead surfaced through publicdisclosure.(b) Reviewing and auditing employee conduct and corporate operations toprovide measures of how the company is doing in its efforts to complywith the law and its own standards.Comments:1. Compliance auditing and monitoring measures may deter ethicaland legal misconduct in the same way that financial audits may deter financialmisconduct. Thus, organizations may incorporate compliance reviews intoexisting financial audits, utilizing the audit skills and professional standards offinancial auditors.2. A variety of compliance monitoring and auditing techniques may bevaluable, particularly in large concerns. The following methods can be useful:104(i) Auditing (with appropriate independence from linemanagement) and inspection (including random, and, whennecessary, surprise audits and inspections) of a company'soperations and related compliance measures to assess, indetail, their compliance with all applicable legal requirementsand the organization's internal policies, standards andprocedures, as well as internal investigations andimplementation of appropriate, follow-up counter- measures
with respect to all significant incidents of noncompliance;(ii) Continuous on-site monitoring, by specifically trainedcompliance personnel and by other means, of high-riskoperations and law compliance practices that are either subjectto significant regulation, or where the nature or history of suchoperations or facilities suggests a significant potential fornoncompliance;(iii) Internal reporting (e.g., hotlines), without fear of retribution, ofpotential noncompliance to those responsible for investigatingand correcting such incidents;(iv) Tracking the status of responses to identified complianceissues to enable expeditious, effective and documentedresolution of compliance issues by line management; and(v) Redundant, independent checks on the status of compliance,particularly in those operations, facilities or processes wherethe organization knows, or has reason to believe, thatemployees or agents may have, in the past, concealednoncompliance through falsification or other means, and inthose operations, facilities or processes where the organizationreasonably believes such potential exists.3. Some companies use a multi-tiered system of reviews. Forexample, they allow managers or business units to do self-assessments.This serves an educational purpose and informs managers on how they aredoing in a reviewed area. A headquarters group, separate from the unitunder review, can then perform a separate review. Thereafter, externalreviewers, such as outside law or accounting firms, may do a review of thereviewers to examine their independence and thoroughness.4. Companies may wish to perform compliance program reviewsmodeled on litigation discovery processes. This type of assessment wouldinclude evaluations of the types of compliance-related documents beingcreated and retained in a corporate operating unit and on interviews with105employees having knowledge of compliance-related activities. Theadvantage of this type of review is that it focuses on the selective view ofcompany compliance practices that would appear in court rather than on thesomewhat different or more complete picture of compliance practices held byoperating personnel based on their personal knowledge of actual complianceactivities not reflected in documents or oral testimony likely to be presented incourt. The objective of these reviews is not to create a false image of acompliance program, but to avoid record keeping and other practices that willinadvertently leave behind a false image of compliance program activities.(c) Using different compliance review methods for different purposes andin different business environments.Comments:1. Audits may be designed to perform different purposes. If the intentis to ferret out willful misconduct, then an unannounced audit may bepreferred. If the audit is intended to measure the effectiveness of thecompliance program, such as whether employees have been trained andwhether the training is effective, then surprise may serve no purpose. Thebenefits and detriments of surprise audits need to be considered. Surpriseaudits can be disruptive and subversive of employee morale.2. Methods for monitoring law compliance can be evaluated for boththeir accuracy and deterrent value. Preannounced audits will detect and
prevent unintentional misconduct and generally entail less disruption ofoperations than unannounced audits. However, parties who intend to commitoffenses in corporate environments may be capable of concealing offensesfrom preannounced audits. Hence, at least some unannounced audits will beuseful to detect manipulations of announced audits. Furthermore, the threatof unannounced audits will have an ongoing deterrent effect since individualemployees will be concerned that misconduct may be disclosed through anupcoming audit.106(d) Pursuing self-monitoring and regular reporting in key aspects ofbusiness performance related to compliance.Comments:1. Self-monitoring may serve as a training device as well as a checkand a deterrent in cases where reportable performance measures beardirectly on compliance levels. Such reports may be minimally intrusive, yethave a positive impact.Example a: Workplace injury reports are instances ofcontemporaneous reports on legally significant events completed inthe normal course of corporate operations.2. While it may be subject to manipulation due to inaccurate reporting,monitoring of performance related to compliance can reveal certain types ofcompliance problems or situations justifying further scrutiny. This type ofmonitoring serves as a checking device where reportable performance bearsdirectly on compliance levels.(e) Using evaluative techniques to measure both the degree of substantivecompliance, and how well the compliance processes are beingimplemented.Comments:1. Organizations can evaluate compliance with the law and theorganization's code of conduct, as well as the organization's effectiveness inimplementing compliance assurance processes. For example, anenvironmental audit could check a facility's emission level, and the integrity ofthe monitoring processes in place.2. Studies to verify the performance of compliance systems may focuson both compliance program operations and results. Reviews of programoperations can focus on methods used to select corporate operations forinspection, information gathering techniques used by program personnel,evaluations of whether program personnel are applying all relevant criteria inassessing compliance, reviews of responses to identified compliancedeficiencies, and analyses of program record keeping. Studies examiningprogram results should assess whether a company is successfully preventingoffenses and, if not, why not. Additional studies may focus on the quality ofprogram reports.1073. The quality of compliance program monitoring can also beevaluated. For example, corporate activities previously assessed by programpersonnel may be restudied to determine if program records present anaccurate picture of compliance in those activities. Where a more thoroughfollow-up assessment identifies compliance deficiencies that were notrevealed in a normal compliance inspection, inspection procedures orpersonnel may need to be changed.4. The results of independent verification studies of complianceprogram operations can be evaluated for patterns. These verification studies
are aimed at assessing the adequacy of overall compliance program activities-- effectively, "checking the checkers." The need for further complianceprogram activities and the nature of those activities can be systematicallydetermined from compliance patterns found in system verification studies. Inaddition to determining the sufficiency of planned compliance programactivities, verification studies can also ensure that compliance programpersonnel are neither coopted by those persons whose work they assess norlax in carrying out their compliance monitoring functions.(f) Evaluating the desirable frequency and scope of such reviews.Comments:1. Plans for reviews of compliance program performance will typicallyaddress which units will be reviewed, how often and how large a sample. Forsome purposes, it may be desirable for an external reviewer to assess allcompliance-related activity of a particular sort. However, where complianceproblems are less likely or less serious if present, it may be sufficient to relyon occasional self-checking of compliance results by operating personnel.Organizations in highly-regulated industries with high volumes of transactions,e.g., banks or brokerage firms, may find it impossible to monitor alltransactions, and thus choose to sample transactions on a random basis.2. The results of a particular review may indicate whether more or lessfrequent and extensive reviews should take place in the future. In general,good compliance results will justify modest compliance reviews in the nextround of assessments, while poor results will justify increased assessments inthe next round. Patterns of poor results can also justify a long-term increaseof scrutiny. If reviews in a particular unit repeatedly find problems, that wouldindicate that more frequent reviews or monitoring for a significant periodwould probably be desirable for that unit.3. The adequacy of information gathering concerning corporate lawcompliance can be evaluated in terms of information reliability, breadth andrapidity of information access, methods of information review and update and108other factors affecting the management of compliance-related information.(g) Assessing the independence and reliability of persons who performcompliance evaluations.Comments:1. In situations where credibility is foremost, such as reviews afterthere has been a criminal conviction, an organization might consider using an"independent private sector inspector general." This can include legal,auditing, investigative and risk management functions.(h) Determining whether compliance reviews should be done by personsinside or outside an organization or organizational unit.Comments:1. An organization can consider the merits of using outside ratherthan inside personnel to conduct compliance audits. Some organizations"blend" the two methods.Example a: Even if a work unit conducts self-reviews, somecompanies use outsiders to serve as a check on the internalevaluators. Cross-audits, conducted by those within the organizationbut from a different work unit or facility, may help to address this issue.In this type of audit, the reviewers are familiar with the subject area,but relatively independent of the personnel and organizational unitbeing reviewed.(i) Devising channels of communication between those who are
performing compliance studies or audits and those who need theresults to act on the findings.Comments:1. The results of compliance inspections are typically recorded inreports for use by corporate managers in evaluating compliance levels,formulating responses to compliance deficiencies, and monitoring theoperation of the compliance system. These reports may describe thecorporate practices or activities examined, the compliance standards applied,the analyses performed, and the levels of compliance found. While thesereports will entail some corporate dangers insofar as they may bediscoverable in subsequent litigation, often the creation and retention of suchreports is essential in recognizing and correcting law compliance problems,particularly in firms with changing personnel or widespread operations109overseen by numerous managers. Once there are findings, the organizationneeds to assure that violations and weaknesses are known by those in aposition to act. These may include a formalized report process that makessuch reporting an automatic step.(j) Establishing systems to assure follow-ups to negative investigation oraudit findings.Comments:1. A record indicating that an organization was aware of deficienciesor violations and did not take appropriate action may indicate that thecompany did not take compliance seriously and was willing to tolerate knownor likely compliance problems. To avoid this result, an organization shouldconsider ensuring that corrective actions are taken as regular part of thefollow up to findings of noncompliance or potential compliance problems.2. Part of the follow up to adverse compliance findings should be anincreased level of compliance monitoring for the business unit involved andfor other business units undertaking similar activities. This sort of additionalmonitoring will be particularly justified where the revelation of a complianceproblem demonstrates a possible weakness in a company's compliancemonitoring practices -- e.g., where the revelation occurred not through regularcompany monitoring, but rather through extraordinary mechanisms likewhisteblower reports or external investigations by public authorities.(k) Using real-time monitoring of conduct as a technique to achievecompliance.Comments:1. In areas where compliance is particularly important (e.g., toxicwaste handling procedures with significant public health implications) orparticularly difficult (e.g., company activities that have previously involvedoffenses), companies may wish to conduct real-time monitoring of complianceresults. This will entail assessments of whether recently completed corporateactivities meet applicable legal and compliance program requirements. Allresults of a particular type or a carefully selected sample of those resultsmight be given this scrutiny. The objectives of this type of monitoring are tomitigate any harmful effects of past noncompliance and to prevent repetitionof the same type of misconduct.2. In critical compliance settings, reasonable compliance efforts mayalso include extra preventive measures such as attention to the step by stepactions necessary to achieve or promote law compliance. Rather than110conducting an annual audit to determine whether the company's activities
over the past year were in compliance with applicable laws, a company with apreventive approach monitors factors affecting whether employees are likelyto commit violations.Example a: This type of monitoring is sometimes undertaken byquestioning employees about the company's compliance standardsand their perceptions of ethical and law compliance problems infrequently encountered work situations.(l) Having a means for employees and agents to report violations of thestandards.Comments:1. As a supplement to periodic compliance inspections, a firm canmaintain mechanisms for receiving and investigating employee tips aboutmisconduct by fellow employees. Investigations triggered by these tips canbe highly efficient and effective ways to focus corporate resources on thedetection and elimination of offenses. In addition, if reports by whistleblowersare not investigated, firm managers may be found to have engaged in apattern of reckless toleration of the type of misconduct involved.2. If a company is serious about obtaining reports of internalmisconduct from its employees, management will structure its mechanismsfor receiving such reports to maximize employee confidence in the integrityand effectiveness of those mechanisms and to minimize employeedeterrence due to concerns over retaliation. As with other types of reporting,different concerns have identified various sorts of procedures and practicesthat best facilitate the flow of compliance violation reports. Means utilized forreporting compliance violations include hotlines, direct reports tomanagement, announced "open door" policies, letter boxes and emailaddresses.3. In smaller companies where the compliance officer personallyknows employees (and possibly their voices) anonymous reporting avenuesshould include written notes in suggestion boxes, receipt of mailed letters,and unsigned email.(m) Providing protection against retaliation for those who reportmisconduct.Comments:1. Because members of any organization will generally be reluctant to111report on their fellow members, and those who do report will often feelvulnerable, avoiding retaliation (and the fear of retaliation on the part ofpersons with unreported information on compliance problems) is one of themost difficult tasks in any compliance program. For this purpose, anonymouscalls may be permitted, to minimize the risk of such retaliation.2. Organizations may adopt and publicize strong policies to protectthose who report violations. Retaliation may be treated as severemisconduct, subject to strict discipline.3. Sometimes the risk of retaliation may be tied to continuingrelationships in the workplace. Organizations may consider transfers ofreporting persons or others to prevent subtle retaliation from occurring.4. To emphasize employee protection against retaliation, a writtencompliance program and communications to employees may add thefollowing in bold type: "No employee shall be retaliated or discriminatedagainst for using the procedures contained in this policy [or program].Violation of this rule is considered extreme misconduct, subjecting asupervisor, manager or employee to possible immediate discharge."
5. Some companies give callers a case number so they can later callto determine the status of their case without revealing their identity. Internalreports about the case are identified by that number so that names do nothave to be used. Information about such calls is made available only on aneed-to-know basis.112(n) Taking steps to assure that employees and agents know how to reachsystems for reporting offenses and other misconduct.Comments:1. Employees can be reminded of the compliance program and thereporting system through a number of means. These include: (a) prominentcoverage of reporting systems in a company's code of conduct, (b) discussionin training sessions, (c) emphasis in letters from top management, (d)references in the organization's internal publications, and (e) descriptions inposters.2. In order to encourage use of the reporting systems, organizationsmay take steps to give them a positive tone. Some organizations refer tohotlines as "Helplines" or "Advice Lines" for this reason.(o) Including compliance issues in due diligence studies precedingmergers and acquisitions and in planning for new business activities.Comments:1. Rather than wait until new business ventures are already operating,managers may elect to address compliance issues in the planning stage.Similarly, in order to avoid buying into compliance problems, these may bespecifically addressed as part of due diligence reviews of acquisition targets.The latter should include assessments of the target's compliance program.(p) Determining the degree of confidentiality and legal privilege protectionthat are appropriate for self-evaluative compliance activities.Comments:1. Managers may find that the effectiveness of the program, and theability to continue a rigorous program, depend on the ability to preserve theconfidentiality of evaluative and reporting activities, and to prevent their beingused against the organization. The risk of having compliance materials usedagainst the organization can serve as a deterrent to rigorous complianceefforts. Managers may want to take steps to maximize projections at thebeginning of compliance activities. These protections include (a) attorneyclientprivilege; (b) work product protection; (c) environmental audit privilege;(d) medical peer review protection; (e) ombudsman privilege; and (f) selfevaluativeprivilege. See also Consideration 18(k).2. Even when efforts are taken to protect compliance activities, thoseactivities must be tempered by the risk of losing protection. For example, a113voluntary self-disclosure to the government may be held by courts to waiveprivilege protection.PRINCIPLE 12: REWARD SUCCESSIncentives and disincentives are significant tools in promoting compliance.Factors to Consider:(a) Identifying policies and practices that will link favorable employmenttreatment, including increased compensation and advancement, toindividuals' furtherance of organizational compliance.Comments:1. Unless employee rewards are linked to support of a complianceprogram, behavior disregarding or opposing compliance will often be
common in an organization. It is important to link the demonstration ofconduct supporting a compliance program with positive treatment for theemployees involved. Including compliance performance as a category inannual performance reviews reinforces the importance of the issue in theorganization. Also, the development of progressive levels of counseling anddiscipline for those individuals who fail to support a program will often createstrong reasons not to overlook compliance concerns.(b) Informing persons throughout an organization that the organization'spolicy is to allocate incentives and disincentives (includingcompensation rewards and discipline) in accordance with individuals'pursuit of compliance.Comments:1. It is frequently desirable to recognize an individual's support of thecompliance program in an organization.Example a: An employee might be recognized for the detection andtermination of practices that would otherwise have led to a violation.This must be done with extreme care so as not to violate privacy rightsof others who were involved in the improper conduct. A thoroughdiscussion with an attorney sensitive to these issues prior to anypublished or spoken communication regarding disciplinary matters orinvestigations is essential.(c) Communicating the views of organization leaders that incentives anddisincentives provided for compliance performance are appropriate.114Comments:1. Senior staff members should generally respond promptly andconsistently to indicate their support for discipline and rewards administeredunder compliance program standards. If employees sense a division amongmanagers regarding support of the program or a hesitation to act uponinformation regarding a violation, the credibility of the program and seniormanagement are compromised.(d) Insuring that rewards and discipline are applied in accordance withrelative levels of compliance effort.Comments:1. Organizations may want to develop a variety of ways to encouragebehavior that is supportive of compliance programs. Program-related goalsand objectives may be used as part of the annual goal setting andperformance management process. Periodic awards for supporting ethicalbehavior in an organization may be given by the organization's president orsenior management. Visible recognition of behavior supporting thecompliance program will demonstrate to organization members that suchactions are noticed and rewarded.2. Smaller organizations and divisions of larger corporations whichchoose an "employee of the month" or operate a similar program may wish tochoose employees based partially on their compliance program activities.The choice of an employee for this type of award based primarily oncompliance activities (and the publicity given this choice) can send amessage to all employees that compliance success is valued and recognizedin the company.115COMMUNICATIONS AND TRAININGPRINCIPLE 13: COMMUNICATE STANDARDSThe organization's compliance program has a communications component, the
objectives of which are to make employees and other agents aware of applicablestandards of conduct and to promote compliance.Factors to Consider:(a) Separately developing the communications component of theorganization's compliance program.Comments:1. An organization's compliance communications program can beoperated as a discrete part of an overall compliance program. In someorganizations it will be desirable for the training staff to develop materials andprograms aimed at compliance topics or to include those topics in existingtraining programs aimed at broader subjects. The sufficiency of alternativetraining practices in adequately informing employees about compliancerequirements and related company policies can often be assessedindependently of other aspects of compliance program performance. Hence,because compliance training may primarily involve training specialists ratherthan line managers and employees and because the success of this type oftraining can be assessed separately from overall compliance performance, itmay be desirable to administer and evaluate the compliance training functionas a separate component of a broader compliance program. In general, theformality of the communications component of a compliance program willincrease with the size of an organization.2. A compliance training program may address a variety of topicsrelated to legal requirements, company values, and means to consider thesein company business decisions and actions.Example a: Topics that are typically featured in compliance-orientedtraining programs include communicating compliance policies andinstructions to subordinates, ethical decision making and legal aspectsof employees' jobs.3. A common symbolic theme such as a logo may be used to identifyvarious separate items as part of a single compliance-orientedcommunications program.(b) Identifying the appropriate organizational personnel to include in the116design and implementation of the communications program.Comments:1. In the design and development of a communications program,organizations may want to divide tasks among the training and legaldepartments so that a comprehensive program which reflects both thebehavioral and legal aspects of the training is designed. The trainingdepartment will have the responsibility for developing the learning objectivesand delivery system (e.g., lecture, written and video materials) while the legaldepartment will provide the technical input identifying compliance issues andthe target audiences for each legal area of concern.2. In smaller organizations, where no internal training or legaldepartments exist, the human resources department may work with outsideexperts (including attorneys) to achieve the same objectives. However,highly technical areas such as OSHA and EPA will likely require theinvolvement of both technical experts and lawyers.3. Similarly, in companies which do not have separate training staffsor human resources departments that include training as part of theirresponsibilities, line managers of the companies may wish to use externalconsultants that specialize in compliance training to design the trainingfeatures of the companies' compliance programs.
(c) Specifying the instructional activities that should be included in thecommunications component of the organization's compliance program.Comments:1. Training programs can be designed by individuals knowledgeablein adult learning. Well designed programs which provide meaningful learningexperiences will enhance the educational process. A program whichcombines a variety of media -- for example, a program that includes a lecture,written materials and a video -- will provide the attendees with attentionstimulatinginformation.2. The inclusion of senior management in the training process willemphasize to the attendees the importance of the compliance program.Senior managers may appear in course videos, personally introduce theprogram or teach the sessions.3. If managers are to teach compliance training classes, a "train-thetrainer"class for those managers may be a desirable means to review adultlearning concepts and refine the managers' classroom training techniques.1174. A review of a newly developed program and a pilot run with avariety of managers and non-managers can assist the course developers inmaking edits to the program prior to the introduction of the course/materials toan entire organization.(d) Structuring the communications program to provide feedback andevaluative information.Comments:1. Attendees' opinions regarding the effectiveness of training classescan be helpful in modifying the training to better meet the needs of futureclass members.Example a: Formal course evaluations can be included at the end ofevery training session. They can include an evaluation of theinstructor's teaching effectiveness as well as a section which evaluatesthe attendees' knowledge of the material presented. Theseevaluations can be completed anonymously.Example b: Another technique is to use pre- and post-class tests withthe attendees. These tests can gauge the differences in employeeknowledge achieved through completing a class.Example c: Employee opinion surveys can also be administered toevaluate the general awareness of the employees about a complianceprogram and their attitudes toward it.(e) Documenting the steps taken in, and the results of, the organization'scommunications program.Comments:1. Formal documentation of training attended and materials receivedis useful in establishing the scope of compliance training.118Example a: All employees attending training classes can be requiredto sign their name to an attendance sheet which lists the employee'sname, class title, date, time, instructor and course agenda.Example b: Employees and agents receiving materials such as codesof conduct and other written communications can be required to sign aform stating that they have received and read the materials presented.Copies of these signature sheets can be kept in a company's humanresources department. If an employee requests a copy, an additionalcopy of the confirmation form can be given to the employee for his or
her personal files.Example c: One company uses "bubble sheets" to record employees'affirmation of understanding and acceptance of the company's code ofconduct. These bubble sheets are scanned into a computer databaseallowing quick retrieval of the recorded information.2. Documentation of training sessions completed and resultsachieved is legally required in some contexts. Where it is discretionary, thistype of documentation should be undertaken with the understanding that theresulting records will be subject to disclosure in criminal or civil proceedings.3. Employers may also want to keep records of compliancesuccesses as reflected in government citations and workplace accident dataand share information about the successes regularly with employees.PRINCIPLE 14: MATCH TRAINING TO TASKSAn effective compliance program communicates appropriate compliance informationand motivation to the organization's employees and other agents.Factors to Consider:(a) Providing information and skills needed to deal with the complianceissues and risks that each employee may encounter.Comments:1. Some companies develop a legal risk analysis to help them tailortheir compliance communications program. This involves determining thetypes of business activities in which the organization engages, evaluating andprioritizing the type of legal risk encountered during these activities, anddeveloping an appropriate communications program.2. Most organizations find that different parts of an organization have119different legal risk exposures and understanding of related compliancerequirements. Firms can usefully tailor their communications programsaccordingly.Example a: Compliance training programs can be developed in amodular format that varies the training provided based on anemployee's job level and function.Example b: An organization may want to develop separate seminarsfor senior level staff, supervisors and managers and non-managerialemployees noting the varying levels of responsibility each has incarrying out their duties under the program.3. Additionally, specific training may be needed for personsundertaking particular job functions. The types of training needed in aparticular function will be dictated by the legal standards directed toward thatfunction and the potential sources of liability in carrying out that function.Example a: Sales personnel may need specific training concerningforeign laws if the company sells its products in international markets.Example b: Factory personnel may need specific training in OSHArequirements.Example c: Individuals with responsibility for supervising others maybenefit from training in coaching and counseling employees onresolving ethical dilemmas.4. Consistent success of a compliance program in preventing,detecting, and reporting illegal or questionable business conduct requiresclear and explicit support of management from top to bottom. A special effortshould be made to communicate to all persons in management orsupervisory positions the importance of compliance and the consequences offailure.
Example d: One way to do this is to have a company's top executive,General Counsel, or someone else clearly designated to speak for topmanagement, brief all managers and supervisors on the company'spolicies on business conduct, the sensitive compliance issues faced inthe industry of which the company is a part, an overview of the FederalSentencing Guidelines for Organizations, and one or two "war stories"involving serious corporate misconduct drawn from areas in which thecompany faces significant exposure. These anecdotes should portrayaccurately the consequences of misconduct for the company,management, employees, shareholders and others negatively120affected. These briefings can also include an open discussion of whatthe company should do to improve compliance.(b) Describing to affected employees and agents an organization's internalprocesses for compliance.Comments:1. Communicating the requirements of a compliance program is acontinuing process. New employees informed of a compliance program whenfirst hired may not remember it more than a few months unless theirknowledge is continuously reinforced. Accordingly, many companies includedescriptions of their compliance programs as part of regularly offered trainingprograms or regularly circulated written materials.2. A company may wish to inform outside parties with which itconducts business of the company's compliance expectations.Example a: A company may want to consider requiring specificcompliance results in agreements or contracts with agents andvendors.Example b: As a part of its comprehensive compliance program, thecompany may require that its agents and vendors certify in writing thatthey have compliance programs in place. This certification can beincluded in the written contracts that the company negotiates and mayalso be a part of a vendor certification process.3. Information about compliance processes can include descriptionsof how employees can best further these processes. This type of informationwill encompass more than just descriptions of conduct required under acompliance program. It will extend further to discussions of actions byemployees (e.g., asking questions, seeking out compliance information, andreporting possible risks of noncompliance) that will best promote compliancewithin a company.(c) Describing to employees and other agents the legal requirements andcompany values that govern organizational activities and the behaviorsthat are necessary to meet applicable legal requirements, corporateconduct codes, and ethical standards.Comments:1. A company may post notices in prominent, accessible placesstating one or more of the following:121(i) The organization's commitment to compliance-applicable laws,regulations and standards of contact;(ii) The organization's designation of the compliance officer (ordesignee) to receive any reports of impropriety or misconductabout the organization's operations or practices of which anyemployee or agent may have knowledge. The misconduct may
be committed by an employee or agent of the organization, ofanother organization, or of a governmental agency;(iii) The availability of the compliance officer (or designee) forconsultation with any employee or agent about the applicationof any law, regulation or standard of conduct to the complianceprogram;(iv) The compliance officer (or the compliance office) will ensurethat all appropriate employees or agents attend applicablecompliance training session(s), report why any employees oragents did not attend, and take measures to ensure they do sopromptly;(v) No employee or agent will suffer any penalty or retribution forgood faith reporting of any suspected misconduct orimpropriety;(vi) Reports of misconduct or impropriety may be madeanonymously or directly to a governmental agency; and(vii) The organization will investigate all reports. Any employee oragent found to have engaged in misconduct will receive promptand appropriate discipline, up to and including dismissal orrefusal to retain.2. Specific modules developed for particular job functions andemployee levels will provide the attendees at training sessions with thecompliance skills necessary to perform their jobs without complicating thetraining with unnecessary information.Example a: All employees may attend a general introductory sessionand then break out into separate groups by job level or function formore detailed information.3. Smaller companies that do little internal training of employees maysend employees to seminars on compliance with legal and regulatory rules.A record should be compiled and retained indicating the subject matter of the122seminars and the extent of employee attendance.(d) Convincing employees and other agents of the need for compliancewith legal requirements, conduct codes, and ethical standards.PRINCIPLE 15: TAILOR TRAINING TO AUDIENCEAn effective communications program is designed to reach the intended audience.Factors to Consider:(a) Ensuring that a compliance communications program isunderstandable, accessible and practical.Comments:1. While compliance programs sometimes focus on complex legalissues, related training programs should be designed in "plain English" toenhance understanding and learning at all levels.Example a: A trial or pilot program of training can be conducted toassess course material readability and the viability of the varioustraining techniques used.123Example b: When the program must be translated into otherlanguages the use of a communications/culture expert for thatlanguage will assist the organization in assuring that the translationreflects the intended message.Example c: Customization of purchased programs can be consideredto help training materials and practices more accurately reflect a
particular organization's unique needs.(b) Evaluating the effectiveness of various communications techniques andmethods.Comments:1. Some companies use multiple delivery vehicles to designcommunications appropriate to the organization's audience. It may be difficultto develop a single method to reach all employees and cover all information.Delivery vehicles can include:Written communicationsHandbooks, manuals, and other reference sourcesPresentations, lectures, or classroom trainingCase discussionsBroadcast programsVideo or audio tapesInteractive softwareGames, simulations, and role playingRoundtables and focus groupsExperiential training2. Adult learners respond well to a variety of training media. Providingemployees with written materials as well as lectures, computer-based learningand videos will assist with the variety of individual learning styles often foundin groups of adult learners. It is important to provide the adult learner withactivities which will allow him or her to discuss the material presented withother participants.3. Employees and managers can be provided with a catalogue thatincludes a listing of available materials and training materials related tocompliance topics.4. The use of a well developed course evaluation will allow theorganization to assess the effectiveness of each media and makeadjustments as necessary to the program.124(c) Considering the occasions on which to administer the communicationsprogram.Comments:1. Compliance matters can be addressed on a variety of occasions incorporate environments.Example a: New employee orientation is used by some companies topresent compliance communications training. Newsletters alsoprovide an opportunity to focus on a specific issue or topic addressedin the compliance program.Example b: Some companies may want to provide supervisors withmaterials to hold monthly meetings during which they review with theirdepartment a specific compliance issue. These meetings and theattendees can be documented in the human resources files.Example c: A company may also want to promulgate letters from theCEO on compliance topics as part of the communications program.Example d: One company observed a noticeable difference in theeffectiveness of employee training on significant and complicatedissues in situations where the training was delivered late in thebusiness day by speech alone as compared to situations when thetraining was conducted at a special designated time, was interactiveand utilized re-creations of real life situations.2. Some companies require all (or virtually all) employees to
participate in a legal compliance training session once a year. Such aprogram may require annual training sessions for all employees whose jobfunctions or responsibilities involve compliance with laws, regulations orstandards of conduct applicable to the operations or practices of theorganization.3. A compliance training program should be integrated into all theregularly conducted activities of an organization.Example e: One organization set a goal that 15 minutes of everytraining program should be devoted to one or more compliance topics.PRINCIPLE 16: DEFINE COMMUNICATION RESPONSIBILITIESAll levels of management are responsible for the operation of an organization's lawcompliance communications program.125Factors to Consider:(a) Determining the role of senior management in an organization'scompliance communications program.Comments:1. The support of senior management, in both word and action, willset the overall tone for the communications program. Senior managementcan appear in training videos, teach classes or provide an introductory letterto be included with training materials. Senior management can also giveattention to the program by including corporate compliance as a topic in staffmeetings. Continued communication of the compliance message to theorganization emphasizes that compliance is a permanent foundation of thebusiness.(b) Determining the role of a compliance officer and further compliancestaff members in an organization's compliance communicationsprogram.Comments:1. Many companies have their chief compliance officer play anintegral role in the design of compliance training materials. He or she shouldbe a visible part of the training team, either in person or on video. Thecompliance officer should be available to employees. He or she should beincluded in performance review meetings and give presentations on thestatus of the program to senior management.(c) Determining the roles of supervisors and middle level managers in anorganization's compliance communications program.Comments:1. An employee's supervisor or manager can provide daily support foran organization's compliance communications program.126Example a: A supervisor can make the program a topic of staffmeetings and be available to discuss compliance issues with individualemployees.Example b: Monthly compliance roundtable discussions withemployees and managers can also be effective in eliciting complianceconcerns and bringing about their resolution.(d) Integrating a compliance communications program with othercommunications programs and organizational operations.Comments:1. Some companies integrate their compliance communicationsprogram with other organizational communications programs.Example a: Articles in existing employee newsletters, discussions in
regularly established staff meetings and assessments in performancereviews will serve to focus attention on compliance issues within thedaily operations of the organization.2. Smaller companies without their own newsletter may use outsideattorneys to periodically write a newsletter on compliance issues fordistribution to employees. Many larger law firms already publish suchnewsletters, often on specific topics such as employment law, environmentallaw, or government contracting.RESPONSES TO VIOLATIONSPRINCIPLE 17: RESPOND PROACTIVELYAn effective compliance program is proactive in its approach to dealing withincidents of noncompliance.Factors to Consider:(a) Measuring proactivity in terms of promptness and decisiveness.Comments:1. A proactive compliance program, capable of responding promptlyand decisively, has in place processes and remedies to mitigate or eliminatemisconduct or noncompliance and the future risk of recurrence.2. The status of an employee alleged to have engaged in improper127activity should be promptly addressed. Consideration should be given torelieving that individual of his or her duties while also giving appropriateregard to the employee's rights and the corporation's duties under evolvingconcepts of employment law.3. A proactive compliance program, capable of responding promptly,generally involves reviewing documents and interviewing witnesses as soonas allegations of misconduct come to the attention of the corporation'smanagers.(b) Responding to indicators of problems.Comments:1. A first step in ensuring that a corporation responds to a violation oflegal or compliance program standards is to bring the violation to the attentionof firm managers. A compliance program may include several alternativemethods of reporting possible violations.Example a: Employees may be encouraged to go to their immediatesupervisor. If they feel uncomfortable doing that, they may beencouraged to go to their supervisor's manager or to another memberof their direct chain of management.Example b: Another method of raising issues is through a specialcomplaint office.2. To ensure that reported incidents are not simply ignored, aprocedure can be established for responding to reports of complianceproblems. A procedure of this sort can ensure that responses to complianceproblems are automatic and consistent. Such a procedure can also assist inprotecting both corporate legal privileges and the anonymity and otherinterests of whistleblowers. This type of procedure may also help establishthe company's commitment to correcting compliance problems should theeffectiveness of its compliance programs be subjected to outside scrutiny.3. To assess the consistency of its responses and to detect patternsof noncompliance, an organization may wish to use a database to trackincidents of noncompliance. In this manner, the organization can track thetype of incidents occurring and target those areas for employee education.Further, the tracking of such incidents can indicate larger problems occurring
within the organization or focus the organization on the area in which suchviolations are occurring. The database may also include a response for anautomatic follow-up to ensure that all incidents are investigated and that anycorrective actions which should be taken or considered are, in fact, taken.128Again, the use of the database can provide evidence to outside reviewersthat compliance program activities are monitored and that corrective actionsare taken where appropriate.4. A party providing information about misconduct by a fellowemployee can also assist in monitoring company responses to the reportedmisconduct. The individual supplying this information can monitor thecompletion of corporate responses if the individual is given information aboutthe progress of such responses.Example a: In one firm, if a complaint was filed with the corporateconcerns program and the complainant provided his or her name, theindividual was kept informed of the status of the investigation and thefinal resolution. If the caller wanted to remain anonymous but stillwanted to know the status of the case, he or she was assigned afictitious name or ID number and asked to call back at a given time.5. Some firms have successfully used crisis management techniquesto ensure proper responses to incidents of noncompliance.Example b: The challenge of responding effectively to complianceincidents caused the formation by one company of a standing IncidentManagement Team. This team was delegated the responsibility fordevising a specific incident management plan, customized to beresponsive to the known facts, no later than 24 hours after an initialincident report.6. Firms can also utilize feedback reports in response to detectedmisconduct to help ensure that the response is complete and comprehensive.Example c: Among the elements of one compliance incidentmanagement plan was a requirement that the responsible complianceofficer confirm in writing the successful completion of all correctiveaction measures to the organization's senior compliance manager.1297. Systematic compliance monitoring practices can also incorporatefeatures that help ensure a proper response to detected misconduct.Example d: In order to promote the timely identification of and prudentresponse to compliance incidents, one company directed its AuditManagers to report to its law department, within 24 hours of discovery,known or suspected compliance violations detected in the normalcourse of audit activities.8. Readily available internal data, routine correspondence fromexternal sources, or other types of information maintained in the ordinarycourse of business may indicate the existence of compliance weaknesses.Accordingly, a program may include a methodology for evaluating suchinformation, identifying patterns that are suggestive of problems, and initiatingfurther inquiry if appropriate.Example e: A pattern of customer complaints received might warrantfurther inquiry into a particular sales person, security or branch office.(c) Keeping abreast of regulatory changes and industry experience.Comments:1. Tracking of compliance trends in an organization's industry andrelated industries can be furthered through a formal mechanism to ensure
timely receipt of information. Some industries have formed compliancepractice forums for industry participants to meet on a regular basis and toexchange experiences on compliance activities. Companies shareinformation on the compliance risks they address and on instances ofmisconduct in their industry.2. An effective compliance program can supplement the internalexperience of the organization's own managers and officials with that ofothers in its industry or field. In addition to traditional means of informationexchange such as seminars, articles in industry publications, trade groups,and the like, compliance managers can pursue other sources of informationsuch as networking with counterparts at similar organizations and atregulatory agencies. While such networking has advantages, care doesneed to be taken to preserve the confidentiality of information as required bylaw and prudent management.130(d) Identifying and responding to actual or suspected violations.Comments:1. Useful corrective actions following a detected instance of illegalconduct may include:(i) Assessments of the conduct and related corporate activities todetermine the extent of the illegal activities and their causes;(ii) Analyses of surrounding corporate activities to determinewhether causes of the conduct are continuing or peculiar to theoffense at hand;(iii) Introduction of changes in operating practices or proceduresthat will make a recurrence of the same misconduct less likely;(iv) Assignments of responsibility for the implementation andcontinuation of these changes;(v) Introduction of improved information gathering practices tomake earlier detection of similar misconduct more likely; and(vi) Special short-term monitoring of the effectiveness of newlyinstituted corrective actions to confirm that they are sufficient toprevent further similar offenses.2. It is often useful to designate a specific individual with responsibilityfor identifying and responding to actual or suspected violations.Example a: In one company, the General Counsel is given thisresponsibility and is required to report to the company's CEO within 12working days of initial receipt of information in all cases involvingmisconduct.3. To identify and respond to violations, it is important to heighten theawareness and commitment of managers and supervisors to compliance.One way to accomplish this is by involving managers and131supervisors directly in corrective actions when misconduct has occurred.Some firms require those delegated responsibility for fixing problems to reportat a specified time to a compliance manager or top executive on the remedyand how well it's working.4. Managers and supervisors can be encouraged to actively identifyand respond to actual or suspected violations by making this behavior anexplicit performance goal. Rewards can be considered not only for theabsence of violations but also for leadership behavior and activities whichexplicitly promote commitment to compliance.(e) Developing special procedures for gathering evidence of misconduct by
personnel with substantial discretionary authority.PRINCIPLE 18: GATHER COMPLIANCE INFORMATIONAn effective compliance program possesses or has access to investigatory,evaluative and reporting resources and utilizes those resources to monitorcompliance.Factors to Consider:(a) Determining who will conduct compliance investigations in advance ofoccasions for such investigations.Comments:1. While the resources needed to achieve compliance will vary fromorganization to organization, an investigative capability for looking into theexistence, scope, and sources of misconduct will typically be a necessarycomponent of an effective compliance program. This capability may beimplemented through a variety of types of investigators. In selecting theseinvestigators, it will generally be unwise to leave investigation of significantcompliance issues solely to managers of the organization's regular activities.These manages may lack the objectivity, skills, or incentive to conduct aproper investigation.Example a: A large organization may support full-time complianceinvestigation personnel. These investigators will, over time, be able toaccumulate useful experience and information about both thecompliance risks faced by an organization and the internal sources ofcompliance-related performance information.132(b) Assuring that compliance investigations are undertaken by personswith adequate expertise to identify breaches of legal requirements andcompliance program standards.Comments:1. An effective compliance program may designate a specificindividual with relevant expertise to carry out compliance investigations.Example a: Many companies designate their General Counsel toperform investigations of potential compliance problems. The legaltraining of these individuals often assists them in identifying properavenues for investigation. The use of inside or outside attorneys forinvestigations of misconduct may also mean that the corporation caninvoke the attorney-client or work product privileges to shieldinvestigation results from later disclosure.Example b: In a small organization, outside attorneys andinvestigators with special expertise may be retained as necessary tocomplete compliance investigations.(c) Making certain that further investigations and responses areundertaken following the detection of possible misconduct.Comments:1. In order for an investigation to proceed quickly and efficiently, itmay be necessary for an organization's top executives to describe to keyemployees the existence of the investigation and its importance.(d) Assuring the adequacy of resources available to investigators.Comments:1. A compliance program can specify explicit standards defining thecircumstances in which specialized investigative resources will be employedto address compliance issues. Such resources may include both inside andoutside personnel that will be marshaled depending on the kinds of skillsneeded for a particular investigation and the number of individuals required to
complete the work in a timely way.2. An authorizing letter from a company's Chief Executive Officer toinvestigators may assist in the dedication of resources needed for an internalinvestigation.133(e) Insuring the independence of compliance investigators from linemanagers whose activities or organizations are being scrutinized.Comments:1. An independent investigation requires that investigative resourcesbe under the control of an individual or group that is free of influence fromthose persons who may be investigated. In circumstances where high-levelpersonnel are alleged to have acted improperly and real independence isvirtually impossible in view of the role of the alleged perpetrator, the person incharge of compliance must have the authority to call on outside resourcesand to delegate the investigation to outside resources. This type of outsideattention will sometimes be necessary to ensure the independence necessaryfor a compliance program to be effective.2. The results of a compliance audit or investigation must be assureda clear path to senior management that is not subject to diversion or delay bythose who are subject to the audit or investigation. Some companiesimplement strict procedures for the manner in which regular audit reports areto be prepared, develop general guidelines for reports regardinginvestigations of specific wrongdoing, and make specific plans for distributingthose results to responsible senior management. Procedures of this sort canensure that audit findings and investigation results are not forgotten andsimply relegated to the "file," but instead are dealt with promptly anddecisively by responsible senior management.3. An independent check on compliance investigations cansometimes be implemented through a review process.Example a: One organization implemented a two-step audit withsupervisors conducting periodic compliance audits which thecompany's audit function regularly reviewed to identify compliancedeficiencies. Absent the involvement of an attorney, such selfevaluativestudies may be discoverable in civil and criminal cases.Example b: One organization routinely conducts "assurance audits"designed to evaluate the effectiveness of compliance investigationsand other compliance management systems.134(f) Developing record-keeping capabilities and resources to aid inidentifying compliance problems and in monitoring responses.Comments:1. Record keeping capabilities are particularly important in trackingallegations of improper conduct and actions taken to correct such conduct.Computer programs can be utilized to keep information on complianceinvestigations and responses to problems. Useful information that can berecorded includes the name, social security number, office extension, andaddress of the individual reporting misconduct, an identification number forthe allegations of impropriety, a description of the nature of the allegations,the date of any response, the employees assigned to address the allegations,the date such assignment was acknowledged, whether the matter is active,on hold, or closed, the promised completion date, any action taken to resolvethe allegations, any response of the employee to the action, and the date thefile was closed.
2. Documentation of compliance audits can be created by having anauditor complete an audit checklist and through preparation and maintenanceof audit findings reports.3. Many companies have formal records retention policies designedto ensure that records that may become relevant to compliance issues will bemaintained in an orderly and non-discretionary manner. In general,compliance records should be retained as long as they are legally required tobe kept or are likely to contain relevant, useful information for the subsequentmanagement of compliance efforts. For particular categories of documents,the likelihood that they contain information that is relevant to futurecompliance management depends on whether they contained informationthat related to compliance when the documents were created and whether,due to changes in company practices or legal requirements, that informationremains relevant or useful in addressing current compliance problems.Example a: A company could require that certain types of documentsnever be destroyed, while allowing other categories of complianceprogram records to be disposed of at the end of a specified retentionperiod.1354. Record retention policies should be followed, and should not bechanged, during the course of any external investigation. Destruction ofdocuments outside the normal course of a records retention policy, orchanging the policy to permit destruction of records that might otherwise bepreserved, could be viewed as obstruction of justice or spoliation of evidence.5. Likewise, records pertaining to an event at issue should not bedestroyed during the pendency of any judicial proceeding or criminalinvestigation. Regular destruction practices should be reviewed at the outsetof an external investigation to ensure that records required to be retained arenot subject to normal destruction processes.6. Files containing reports of violations should contain reports of anycorrective actions.(g) Assuring preparedness for compliance investigations and responses.Comments:1. One way to increase preparedness for compliance investigations isby running practice drills to assure that a compliance program's capabilitiesare in keeping with changing needs of the organization for effectiveinvestigations and offense reporting. These drills would involve undertaking amock investigation and response development.(h) Assuring appropriate scope and methodologies in the completion ofcompliance investigations and responses.Comments:1. When conducting interviews, interviewers should advise theemployees being questioned that any attorneys involved in the interviewsrepresent the company rather than the employees personally. Intervieweesshould further be advised that decisions to waive privileges and to disclosematerials gathered during the course of an internal investigation will be theprerogative of the company rather than of any individual employee.1362. Proper means for conducting compliance investigations may bedefined, at least in part, by union agreements or other contractual terms ofemployment. Standard operating procedures for compliance investigationsshould be designed to be consistent with these sorts of agreements orcontractual terms where applicable.
Example a: Collective bargaining agreements may require that unionrepresentatives be present during investigatory interviews.Example b: Employee handbooks may set forth procedures regardinginvestigatory interviews.(i) Defining reporting systems within a company that will provideindications that compliance investigations are needed.(j) Assuring accuracy and reliability of information gathered in complianceinvestigations.(k) Conducting investigations in a manner that is likely to preserve theattorney-client and work product privileges.Comments:1. Although other standards may apply in some states, in mostjurisdictions attorney-client privilege applies to corporate communicationswhen: 1) a communication to an attorney is made by a corporate employeefor the purpose of securing legal advice, 2) the employee making thecommunication did so at the direction of this corporate superior, 3) thesuperior made the request so that the corporation could secure legal advice,4) the subject matter of the communication was within the scope of theemployee's corporate duties, and 5) the communication was notdisseminated beyond those persons who, because of the corporatestructure,needed to know its contents. While these circumstances willgenerally be sufficient to establish the privilege, not all of these may benecessary for the attorney-client privilege to be recognized. The work productprivilege can also apply in corporate contexts where counsel gathersinformation or conducts legal analyses in contemplation of litigation.2. In conducting a compliance investigation, companies generallyattempt to establish the attorney-client and work product privileges, thuspreserving their option in the future to either invoke the privileges or to waivethe privileges and make disclosures to the government. In order to establishthe attorney-client and work product privileges, companies generally considertaking some or all of the following steps: 1) stamping each documentgenerated in an investigation conducted by an attorney (or under the137supervision of an attorney) "Privileged and Confidential: Attorney's WorkProduct", 2) requesting formal authorization to conduct an internalinvestigation, 3) having corporate management formally authorize the internalinvestigation, 4) having an attorney conduct or coordinate the investigation, 5)maintaining a separate file for the investigation, 6) having managementformally direct employees to cooperate in corporate counsel's investigation, 7)considering the distinction between opinion and ordinary work product inconducting employee interviews, 8) referencing the elements of the privilegesin any report summarizing the results of the investigation, and 9) creating aconfidential relationship with any consultant or investigator hired to assist inthe investigation.PRINCIPLE 19: CONSIDER OFFENSE REPORTINGAn effective compliance program addresses the need for external reporting ofviolations of the law.Factors to Consider:(a) Assuring that self-reporting by an organization will comply withmandatory reporting requirements.Comments:1. Compliance with mandatory reporting requirements is an essentialingredient of any compliance system. Compliance with such mandatory
reporting requirements requires knowledge of those requirements. Hence,persons charged with ensuring compliance with reporting requirementsshould be particularly well versed in those requirements and should be thedesignated recipients of information pertaining to company activities that maytrigger reporting obligations.2. Because many mandatory reporting requirements have shortperiods in which reports must be made (such as at the earliest possibleopportunity), individuals having responsibility for specific corporate activitiesare often given the responsibility to make related reports. In such cases,compliance programs sometimes establish procedures to ensure thatinformation is transmitted in a timely manner to the person charged withreporting responsibilities. Sometimes the information is138provided simultaneously to the company's general counsel or such individualswill consult with their company's legal department if questions arise, but theseindividuals have the authority to make reports on their own.3. If the reporting function is reposed in the legal department,individuals who may lack knowledge of reporting requirements may transferinformation to the legal department slowly, leading to extended delays inreporting and corresponding violations of statutes requiring prompt reporting.Steps should be taken to ensure that time periods for reporting are satisfied.(b) Weighing the advantages of voluntary self-reporting of misconductunder Federal Sentencing Guidelines for Organizations, governmentvoluntary disclosure programs and other legal standards.Comments:1. Federal Sentencing Guidelines for Organizations do not imposeany obligation to report violations of law. Rather, the Sentencing Guidelinesencourage voluntary reporting by providing significant mitigation of penaltiesfor companies that voluntarily report. Companies choosing not to reportvoluntarily cannot avail themselves of the penalty mitigation provisions setforth in the Sentencing Guidelines, although they may still obtain the otherbenefits of a properly implemented and enforced compliance program -- e.g.,reducing or eliminating future violations of law, minimizing civil exposures,and appealing to prosecutorial discretion notwithstanding the failure to report.2. When companies uncover violations of law not required to bereported, they generally evaluate whether or not to report such violationsbased on the unique facts of each individual case. Companies generallycarefully consider, in addition to the penalty mitigation provisions of theSentencing Guidelines, the following factors: a) the likely consequences ofvoluntary disclosure (including potential impacts on criminal prosecutions, jailpenalties, civil liability, debarment under government programs, corporatestigma, and later business opportunities); b) the propensities and track recordof the governmental or regulatory body or individual to whom disclosurewould be made; c) potential options in determining to which governmental orregulatory body to disclose; d) the potential for disclosure to boost publicconfidence in the company's products or services; e) whether the publicwould expect disclosure of the type of violation or conduct uncovered andlose confidence in the company's products or services if the violation orconduct surfaced independently; f) whether the company is "public," havingindependent members of the Board of Directors who may perceive greaterobligations to disclose than otherwise exist; g) the potential to disclose to acivil -- not criminal -- authority and the likelihood of referral to criminalauthorities; h) the likely response of governmental or regulatory authorities if
139they uncovered the violation in the absence of voluntary disclosure; i) theexpectations of company personnel; and (j) the likelihood of the independentdiscovery of the violations by governmental authorities. Even when acompany determines not to make voluntary disclosure, it should carefullyconsider its responsibilities concerning remediating the harm from violationsand abating any continuing violations. See also Consideration 19(i)(Comments 1-4).Example a: A recent EPA policy, Incentives for Self-Policing:Discovery, Disclosure, Correction and Prevention of Violations, 60Fed. Reg. 66706 (December 18, 1995), provides that if a companyuncovers a violation using either environmental auditing or acompliance program and promptly and voluntarily discloses theviolation to the government, it may reduce and perhaps eliminategravity-based civil and criminal penalties for the violation.Example b: Many states have legislation treating an environmentalaudit as privileged as long as the company takes reasonable andprompt steps to correct detected violations of environmental laws andto notify the government of those violations. Factors in Decision onCriminal Prosecutions for Environmental Violations in the Context ofSignificant Voluntary Compliance or Disclosure Efforts by theViolators, U.S. Attorneys Manual, 5-11.104A, should be consulted inconnection with the voluntary disclosure of environmental violations.(c) Designating decision-making responsibility and authority fordetermining when and how to self-report detected misconduct.Comments:1. Companies may designate different people to be responsible forreporting different types of violations as required by law. For instance,company health and safety personnel may be appropriate to report accidentsas required by OSHA. Company environment personnel may be appropriateto report environmental discharges.140(d) Determining the appropriate scope of disclosures when a decision ismade to self-report detected misconduct.Comments:1. Once a decision to disclose is made, a decision must be made asto what to disclose and whether to seek protection from disclosure forinformation withheld.Example a: A company uncovering a violation during the course of anaudit may decide to disclose the violation by itself or the entire auditreport. Even if they choose to disclose the entire audit report,company managers might choose to withhold the underlying interviewmemoranda or other documents generated during the course of theaudit.Example b: Some companies seek to condition disclosure on arepresentation that the governmental authority involved will notdisclose the information to third parties absent a court order. Otherscondition disclosure on an agreement that the governmental authoritywill not seek disclosure of any additional information that mightotherwise be privileged.(e) Addressing potential conflicts between an organization and its agentsor employees where the organization chooses to report detectedmisconduct.
Comments:1. Conflicts of interest between an organization and its agents oremployees can exist when the testimony of one may implicate the other.2. A conflict of interest may also exist if an individual havingknowledge of wrongdoing by the company is represented by the same lawyeras the company. Under these circumstances, if an employee is a target of aninvestigation, the lawyer's obligation to the corporation may be at odds withhis or her obligation to the individual employee. Accordingly, suchrepresentation is generally prohibited. Under these circumstances, somecompanies advise employees that they have the right to obtain independentcounsel.3. Corporations sometimes indemnify an employee for the cost ofseparate counsel to represent the employee. Corporations may wish toconsult an attorney prior to agreeing to indemnify an employee for the cost ofhis or her attorney to ensure that the proposed indemnification is consistent141with applicable corporation laws and with any indemnification provisionscontained in the charter or bylaws of the company involved.(f) Waiving or preserving legal privileges in the course of disclosinginformation to public officials.Comments:1. Where information is required to be disclosed to public authoritiesunder mandatory reporting provisions, the public authorities frequently insistthat the attorney-client privilege does not protect against such disclosure.2. In circumstances where disclosure is not required, a corporationhas the ability to decide to disclose information about violations (probablywaiving privileges that might otherwise apply to that information) or not todisclose (potentially preserving the privileges). Many companies designatetheir General Counsel as the individual making such decisions because suchindividuals generally have the best understanding of legal requirementsregarding disclosures and the consequences of waiving any applicableprivileges.(g) Considering whether self-reporting will be accompanied by anorganizational acceptance of responsibility for disclosed violations.Comments:1. Federal Sentencing Guidelines for Organizations provide that entryof a plea of guilty prior to the commencement of trial combined with truthfuladmission of involvement in the offense and related conduct ordinarily willconstitute significant evidence of affirmative acceptance of responsibilitywarranting penalty mitigation. The Sentencing Guidelines provide thatadmission of guilt after putting the government to its burden of proof at trial isgenerally not a sufficient acceptance of responsibility but that an organizationmay go to trial to assert and preserve issues that do not relate to factual guilt(e.g., to make a constitutional challenge to a statute or a challenge to theapplicability of a statute to the organization's conduct) without losing thebenefits of penalty mitigation.142(h) Deciding whether to cooperate with external investigations by publicauthorities.Comments:1. Federal Sentencing Guidelines for Organizations provide thatpenalty mitigation requires cooperation which must be both timely andthorough. According to the Guidelines, to be timely, the cooperation must
begin essentially at the same time as the organization is officially notified of acriminal investigation. To be thorough, the corporation should disclose allpertinent information known in order to permit law enforcement personnel toidentify the nature and extent of the offense and the individual(s) responsiblefor the criminal conduct.2. A company deciding not to cooperate with external investigationsshould ensure that its conduct during the course of the investigations doesnot amount to obstruction of justice. See also Consideration 19(e)(Comments 1-3).Example a: A company not cooperating with an external investigationadvises its employees that they may, but are not obligated to, speak toexternal investigators and that, if they choose to, the company will thenmake the services of the company's attorney available to them. Thecompany does not advise its employees not to cooperate with theexternal investigators and if employees do cooperate, it tells them totell the truth.Example b: Prosecutorial authorities sometimes request thatcompanies not disclose an ongoing investigation to companyemployees or to third parties. Such nondisclosure may be animportant feature of the cooperation sought from the company.(i) Remediating harm from detected misconduct.Comments:1. Compliance programs are designed in part to protect companiesfrom liability. One related activity to be considered in a compliance programis remediating any harm from past offenses. Companies that are unwilling tocommit the resources necessary to remediate harm uncovered throughcompliance investigations should consider whether the investigation itselfought to be conducted.Example a: Some companies have instituted procedural requirementsunder which proposals to address remediation of harm are required143within 10-15 days of uncovering any violation.Example b: Uncovering harm in an investigation and failing to correctit may be viewed by prosecutors and agency officials as evidence of acompany's willful disregard of law, failure to take responsibility for thepast misconduct of company employees, or failure of the company totreat its compliance program seriously.2. Another activity to be considered in a compliance program iscorrecting any ongoing violations. The failure to correct an ongoing violationmay itself constitute an independent violation.Example a: A company discovers that groundwater beneath its sitehas been contaminated from an off-site source for which the companyis not responsible. To the extent that the company concludes thatreporting statutes do not require disclosure, it should still considerwhether the contamination constitutes a threat to public health and, ifso, whether the failure to report could subject it to civil toxic tort liabilityor is otherwise contrary to the company's obligations as a goodcorporate citizen.3. While companies should seriously consider promptly correcting anyviolations or harm uncovered, circumstances may exist where there arepractical limits on a company's ability to take corrective action. In such cases,the company should make a good faith effort to address the problems aspromptly as is reasonably practicable.
Example a: A small business uncovers a series of environmentalviolations of varying degrees of seriousness. Its resources do notpermit it promptly to address each violation. The company establishesa three-year timetable to address all the violations and established abudget for this activity. By spreading the cost over three years, theannual expenditures on corrective action are substantial in view of thecompany's annual revenues but do not seriously impact thecompany's annual bottom-line.4. Even if a company does not have the financial resources to take allpossible corrective actions, compliance programs that include reasonablecorrective measures can realize substantial corporate benefits by reducingthe scope or frequency of noncompliance.144(j) Identifying the scope and ramifications of an organization's vicariousresponsibility for detected misconduct.Comments:1. Under federal laws and those of most states, corporations are liablefor offenses committed by employees who are acting within the scope of theirjob duties and for corporate gain. Affirmative support for an offense bycorporate executives or managers generally is not required to establishcorporate liability.2. However, corporate self-reporting to public officials of offensesdetected through a compliance program can significantly reduce theinstances and severity of corporate liability. Even when an offense iscommitted within an individual's scope of employment and for corporate gain,prosecutors have the discretion to decide not to bring charges against thecorporation involved based on the corporation's cooperation in the detectionand investigation of the offense and assistance with the prosecution of theindividuals who committed the offense.3. In assessing whether or not a corporation is likely to be prosecutedfor the actions of its employees, another critical factor to consider is thestrength of the company's compliance program. For example, the formerU.S. Attorney for the District of New Jersey has indicated that whether acorporation had made a "reasonable effort" to avoid criminal activity would bea "strong factor" in determining whether or not to seek an indictment against acorporation.4. Under some state laws, an organization's vicarious liability foroffenses by employees will also include an inquiry as to whether a violationwas authorized or tolerated by high-ranking officers of the organization andthe level of knowledge the organization's officers and directors had about theoffense prior to its commission.145PRINCIPLE 20: EVALUATE PROGRAM EFFECTIVENESSAn effective compliance program utilizes incidents of noncompliance to evaluate itsown effectiveness, to correct deficiencies and to effect improvements.Factors to Consider:(a) Disciplining and retraining responsible employees.Comments:1. In order to deter later misconduct, individuals who are found tohave been responsible for misconduct or noncompliance should generally bedisciplined. To set the stage for effective discipline, compliance programsshould include policies that specify that violators will be subject to disciplineas well as the range of sanctions that are available. If a company has
collective bargaining agreements or other formal standards for disciplineprocedures already in place, discipline pursuant to a compliance programneeds to be carefully coordinated with the separate discipline standards.2. For breaches of compliance program standards amounting to lessthan an offense (e.g., failures to take actions aimed at reducing the likelihoodof offenses without participation in or support of any actual offenses), asufficient response may entail modest discipline coupled with retraining aimedat ensuring that the employees do not repeat the same mistakes. Increasedtraining and monitoring will be particularly appropriate when ignorance of legalor compliance program requirements was a significant factor in anemployee's misconduct.3. Sometimes, incidents of misconduct may reveal widespread gapsin employees' knowledge or observance of compliance programrequirements, thereby signaling the need to retrain whole groups ofemployees.4. Since all training has a limited period of retention, refresher trainingprograms are often prudent. The detection of an offense may justify anincreased frequency of refresher training.146(b) Identifying root causes of misconduct, including weaknesses indetection practices.Comments:1. In order to learn from a detected incident of misconduct and avoidfuture instances of similar misconduct, companies will often find it valuable toidentify root causes of compliance problems. Root-cause analysis looksbeyond superficial symptoms to underlying factors contributing to or causingshortcomings or failures in the system. Root-cause analysis asks whysomething occurred and what could have been done to have prevented itfrom happening in the first place.Example a: A bribery scheme may raise pertinent questions aboutcorporate activities leading to the offense such as the hiring practicesapplicable to the offender.2. Assessments of weaknesses in offense detection practices thatallowed an offense to remain undetected can include evaluations of theknowledge and conduct of superiors and coworkers of the person whoengaged in the misconduct to see why the misconduct went unreported.(c) Using external reviewers to evaluate incidents of misconduct andrelated compliance program weaknesses.Comments:1. In evaluating an incident of misconduct, it is sometimes highlyuseful to engage an external reviewer to analyze the incident and identifypossible weaknesses in a compliance program that may have contributed tothe incident. The external reviewer may be someone from an area within thecompany entirely unrelated to that in which the incident occurred. Theexternal reviewer may also be someone from outside the company.Advantages of outside reviewers may include special expertise or perceivedobjectivity. Disadvantages may include company privacy questions ordistrust and lack of full cooperation with the reviewer by employees importantto uncovering the facts.2. External reviewers may be able to advise on steps othercompanies have taken in similar situations or make recommendations whichwould not be palatable from inside sources. A company's independentauditors may have greater expertise concerning appropriate
147remedial measures than do company personnel in matters involvingweaknesses in or deviations from the system of internal controls orrecordkeeping.(d) Assuring prompt and effective follow-up measures.Comments:1. When an incident of misconduct evidences weakness in acompliance program, effective corrective measures help provide counterevidenceof the future soundness of the program. Effective correctivemeasures should be based on an accurate analysis and diagnosis of thefactors contributing to a specific problem, a clear description of the proposedremedy, and a statement of how the proposed remedy will actually helpcorrect the weakness. Effective measures should also include a timetable forimplementation and an enumeration of the steps to be used to evaluate theadequacy of the correction.2. Company practices can ensure that a compliance program isreexamined and the need for modification of the program is carefullyconsidered following a compliance breakdown.Example a: One company required its compliance officer to providethe board of directors with a written assessment of every compliancefailure and recommendations for program changes.3. A compliance program can help ensure positive changes in anorganization's culture following a compliance failure.Example b: One company held discussions of compliance risks andemployees' compliance concerns to "clear the air" after a seriouscompliance problem led to major personnel changes. These sessionswere held in part because the nature of the compliance problemsleading to the changes had not been fully disclosed. While themisconduct of the individuals involved was not described, the sessionswere aimed at overcoming the reluctance of employees to raisecompliance issues and to share information. The meetings were ledby trained facilitators, who worked closely with a company lawyer indocumenting concerns, developing responses for managementconsideration, and implementing responsive actions.148NCPL CORPORATE COMPLIANCE PRINCIPLESAPPENDIX ASAMPLE CODE OF CONDUCTPrepared by Karl GroskaufmanisFried, Frank, Harris, Shriver & JacobsonINTRODUCTIONThe core precept of a compliance program is that it sets an organization's standard ofconduct. The basic building block for most compliance programs is a code of conductdisseminated throughout the organization. Such a code of conduct will not constitute acomplete compliance program of itself--a compliance program should also includeadditional features that comply with the compliance principles described elsewhere inthis volume.There can be no "universal" code of conduct. Each organization must adapt itsstatement of compliance standards to its environment and the compliance concernsconfronted by that organization. In determining the range of compliance issues that acode of conduct will address, corporate managers may wish to review the applicabilityto their company of the types of compliance concerns listed in Consideration 1(d)
(Comment 1) of these Principles. Furthermore, while this sample code is primarilyaddressed to law compliance and liability avoidance, corporate managers may wish toconsider a broader focus for a code of conduct -- e.g., extending such a code tocompliance with specified company values or ethical standards.There are, however, certain fundamental compliance code provisions that are relevantto most organizations. The NCPL Compliance Principles Commission believes that ashort statement of these provisions may be particularly useful to smaller companiesand organizations that have evolved to the point where a formal compliance programmust be developed. To aide such efforts, the following code of conduct addresses, asa model, some of the key code provisions that a small company may wish to adopt aspart of a broader compliance program.The publication of this sample code in conjunction with the NCPL CompliancePrinciples should not be taken as legal advice as to the sufficiency of this code for aparticular company. Company managers may wish to seek advice from an attorneyregarding both the range of compliance issues to be addressed in a code of conductand the compliance methods specified there. For further information on compliance149codes and their functions in compliance programs, see Karl A. Groskaufmanis,Corporate Compliance Programs as a Mitigating Factor in Corporate SentencingGuidelines: Compliance and Mitigation § 5.08 (Jed S. Rakoff, Linda R. Blumkin,Richard A. Sauber eds. 1996).XYZ CORPORATIONCODE OF CONDUCTINTRODUCTIONEach employee contributes to the care and maintenance of our most importantasset -– our reputation for integrity. Each employee must help preserve that asset.Our reputation for integrity is the cornerstone of the public's faith and trust in ourcompany; it is what provides us an opportunity to serve our customers. A singleemployee's misconduct can do much to damage a hard-earned reputation. This code ispresented to assist you in guiding your conduct to enhance the reputation of our company.This code supersedes all previous codes and policy statements.Employees should understand that this code is drafted broadly. In that respect, itis our company's intent to exceed the minimum requirements of the law and industrypractice. The following sections identify conduct which is never acceptable and will alwaysbe considered outside the scope of your employment.The company intends to enforce the provisions of this code vigorously. Violationscould lead to sanctions, including dismissal, as well as, in some cases, civil and criminalliability.No corporate code can cover every possible question of business practice.When in doubt -– ask before you act.Upholding the code is the responsibility of every employee. All managers are heldaccountable for code enforcement in their divisions. [The Administrator] is the corporateofficer who will administer the company's overall compliance program. Any failure toadhere to the standards outlined in this code may be reported directly to him without fearof retribution.Inevitably, the code addresses questions that escape easy definition. There will betimes when you are unsure about how the code applies. In such cases, you should feelfree to contact [the Administrator].150CONFLICTS OF INTERESTAvoid any situation in which your personal interests conflict with those of the
company.Each employee owes a duty of loyalty to the company. For that reason, allemployees must exercise great care any time their personal interests conflict with thoseof the company. The following sections review several common problems. The list is notexhaustive. The general principle, however, is simple: exercise great care any time theremight be even the appearance that you acted for reasons other than to benefit thecompany.Relations with SuppliersEmployees purchasing goods or services on behalf of the company mustexercise great care to preserve their independence.Employees who deal with the company's suppliers are placed in a special positionof trust. This position requires you to exercise caution in dealing with suppliers. As ageneral rule, no employee should ever receive a payment or anything of value in exchangefor a purchasing decision. The company recognizes an exception for token gifts (such asa calendar) of nominal value (less than $100). If you are in doubt about the policy'sapplication, [the Administrator] should be consulted.Outside EmploymentYour first obligation rests with the company.The company requires the full attention of its employees. In general, this level ofattention makes it impractical for employees to pursue extensive employment outside thecompany. Moreover, outside employment also could lead to a conflict of interest for theemployee. Consequently, any outside employment must be approved in advance by [theAdministrator].Corporate BoardsAny employee invited to join a corporate board of directors must obtain theapproval of [the Administrator].The director of a corporation has access to sensitive information and charts the151course of the corporation. When a company employee is invited to play that role for anoutside organization, the company must take safeguards to shield both the company andthe employee from even the appearance of impropriety. For that purpose, [theAdministrator's] approval is required before any employee can accept a director's positionat another company.Corporate OpportunitiesDo not divert for personal gain any business opportunity from which thecompany may profit unless the company validly decides to forego the opportunity.An employee's duty of loyalty to the company is violated if the employee personallyprofits from a business opportunity which rightfully belongs to the company. This problemarises when an employee has an interest in an entity which offers a product or servicewhich could be offered by the company, or when an employee directly offers such aproduct or service.LEGAL COMPLIANCEAntitrustThe Company is committed to vigorous competition in the marketplace.The company's business decisions must reflect our independent judgment. Conductaimed at limiting competitive forces is inconsistent with that commitment and may violatethe antitrust laws. No employee should communicate with competitors regarding currentor future prices, pricing policy, sales terms, production levels or any other information thatrelates to the marketplace in which the company operates.Improper PaymentsBribery, kickbacks or other improper payments have no place in the
company's business.All employees who come into contact with government officials – domestic andforeign – must maintain the highest professional standards. Never offer anything of valueto such officials to obtain a particular result for the company. Bribery of governmentofficials can lead to criminal penalties.152These same standards should govern your contacts with those in the private sector.Entertainment of business prospects must be reasonable and documented carefully. Anyquestions regarding the application of this policy should be referred to [the Administrator].Accounting PracticesEach employee must help maintain the integrity of the company's financialrecords.No code of conduct can review the extensive accounting requirements which thecompany must fulfill. To meet these obligations, however, the company must rely onemployee truthfulness in accounting practices. Employees may not participate in anymisstatement of the company's accounts. At the same time, no circumstances justify themaintenance of “off-the-books” accounts to facilitate questionable or illegal payments.CONFIDENTIALITYCorporate InformationOne of the company's most important assets is its confidential corporateinformation. The company's legal obligations and its competitive position oftenmandate that this information remain confidential.Confidential corporate information generally falls into two categories. The firstcategory encompasses information intended for internal use only. This informationtypically relates to the company's operations – customer lists, pricing policies, productiontechniques or “trade secrets” (confidential information used in the course of business togive the company a competitive advantage). The company endeavors to keep thisinformation confidential indefinitely.The second category, by contrast, involves confidential corporate information whichthe company routinely discloses to the investing public. This information often gauges thecompany's financial performance (e.g., quarterly financial results of the company'soperations) or identifies events which have a significant (or “material”) impact on the valueof the company's securities. As outlined below, premature disclosure of such informationmay expose the individual involved to onerous civil and criminal penalties.Confidential corporate information must not be disclosed by employees to anyoneoutside the company, except for a legitimate business purpose (such as contacts with thecompany's accountants or its outside lawyers). Even within the company, confidentialcorporate information should be discussed only with those who have a need to know the153information. An employee's obligation to safeguard confidential corporate informationcontinues even after the employee leaves the company.Communications with the Public[The Administrator] speaks for the company.[The Administrator] is the company's spokesman and arranges for the regularrelease of the company's financial results. All requests for information – from reporters,securities analysts, shareholders, or the general public – should be referred to [theAdministrator]. Releasing any corporate information through other channels is a violationof the code of conduct.Insider TradingNever trade securities on the basis of important confidential informationacquired at the workplace.
Insider trading is a serious crime. The offense may occur when, for example, aperson trades stock while in possession of material, nonpublic information about thecompany involved. Information is “material” if it would affect the average person's decisionwhether to buy, sell or hold the stock. It is “nonpublic” if it has not been released to andabsorbed by the investing public.Both the company and all its employees share an interest in avoiding an insidertrading investigation. An individual convicted of insider trading may face criminal penaltiesof up to ten years in prison and/or a $1,000,000 fine. The investigation could tarnish thecompany's reputation and may subject the company to additional penalties.Consequently, company policy forbids insider trading by all employees. Do nottrade on the basis of confidential information obtained at the workplace – whether theinformation relates to the company or some other entity.Insider trading law is far from clear. An employee legitimately may be unsure howthe law applies in a particular instance. Given this uncertainty, all employees areencouraged to contact [the Administrator] with any questions or before any trade involvingthe company's stock.154WORKPLACE RELATIONSDiscriminationDiscrimination has no place in workplace decisions.The company is committed to allowing employees to progress based on theirtalents. No employment decision may be based on, for example, an employee's oremployment applicant's race, color, sex, religion, age, national origin, marital status, ordisability. Each employee is subject to this standard. [The Administrator] is the officerresponsible for enforcement of this policy. If you believe this policy has been violated,contact [him/her] immediately.HarassmentHarassment of employees will not be tolerated.The company expects all personnel to follow a simple standard: all employees mustbe treated with respect. “Harassment” covers a wide spectrum of conduct, i.e., unwelcomesexual advances or racial epithets. This code sets a simple standard and everyoneassociated with the company must abide by it. Any employee who believes this standardis not being maintained should contact [the Administrator] immediately.ENFORCEMENTViolations of the code may lead to serious sanctions, including terminationfor cause.The conduct of each employee matters vitally to the company. A misstep by asingle employee can cost the company dearly; it undermines all of our reputations. Forthese reasons, violations of the code may lead to significant penalties, including dismissal.155CERTIFICATIONI certify that I have received, read and understood the [XYZ Corporation] Code ofConduct. I promise to comply with the terms of the code in the future and understand thatviolation of the code may lead to sanctions, including dismissal.________________________Signature________________________Print Name________________________Date156
NCPL CORPORATE COMPLIANCE PRINCIPLESAPPENDIX BCORPORATE COMPLIANCE BIBLIOGRAPHYEdited by Lisa M. HorvathComplied and annotated by Lorni Fenton, Lisa M. Horvath,Dawn McKnight, James Miles, Nan Smith-Caldemeyer and Julie Wiley(Past and Present Editors of the Preventive Law Reporter)This bibliography contains a selection of useful materials discussing corporatecompliance. While earlier materials may also be helpful, this bibliography emphasizesrecent materials developed in the past five years.GOVERNMENT STANDARDSU.S. Sentencing Commission, Sentencing Guidelines Manual § 8A1.2 (1993)(Application Note 3(k)).Standards in Federal Sentencing Guidelines for Organizations (Chapter 8 of theFederal Sentencing Guidelines) for recognizing effective law compliance programs andgranting corresponding sentence reductions.U.S. Department of Defense, Voluntary Disclosure Program (May 5, 1989).Description by the Office of Inspector General, United States Department ofDefense, of the Department's voluntary disclosure program for defense contractors thatdiscover internal offenses.U.S. Department of Health and Human Services, Voluntary Disclosure ProgramGuidelines, June 9, 1995.Guidelines issued by the Office of Inspector General, Department of Health andHuman Services.U.S. Department of Justice, Antitrust Division Corporate Amnesty Policy, (revisedAugust 1993).Criteria for self reporting of employee offenses as a basis for corporateamnesty from federal antitrust prosecutions.157U.S. Department of Justice, Factors in Decisions on Criminal Prosecutions forEnvironmental Violations in the Context of Significant Voluntary Compliance orDisclosure Efforts by the Violator (July 1, 1991).Criteria for considering the sufficiency of voluntary law compliance efforts indecisions by prosecutors about whether to charge corporations based onenvironmental offenses by corporate employees.U.S. Environmental Protection Agency, Incentives for Self-Policing: Discovery,Disclosure, Correction and Prevention of Violations, 60 Fed. Reg. 66706 (Dec. 22,1995).Standards for measuring substantial environmental compliance efforts bycorporations and other organizations as possible bases for reducing environmentalviolation penalties and withholding referrals for criminal prosecution.U.S. Environmental Protection Agency, Memorandum of Operating Principles forCommon Sense Initiative, Oct. 31, 1994.Description by the Office of Enforcement and Compliance Assurance, U.S.Environmental Protection Agency, of the features of the EPA's Common SenseInitiative.U.S. Environmental Protection Agency, Environmental Auditing Policy Statement,51 Fed. Reg. 25004 (July 9, 1986).Evaluation criteria for law compliance auditing as part of an environmental lawcompliance program.U.S. Environmental Protection Agency, Policy Regarding the Role of Corporate
Attitude, Policies, Practices, and Procedures in Determining Whether to Remove aFacility from the EPA List of Violating Facilities, 56 Fed. Reg. 64786 (Dec. 12, 1991).Standards for assessing increased corporate compliance efforts following anenvironmental violation and using this assessment to allocate subsequent regulatoryoversight.New Jersey Environmental Prosecutor's Office, Factors in the Exercise ofDiscretion on Criminal Prosecutions for Environmental Violations in the Context ofEffectively Operating Voluntary Compliance/Audit Programs, May 15, 1992.BOOKSLOUIS M. BROWN, ANNE O. KANDEL, & RICHARD S. GRUNER, THE LEGAL AUDIT:CORPORATE INTERNAL INVESTIGATION (1996).Soup to nuts treatment of corporate legal audits. Includes many useful forms.158RICHARD S. GRUNER, CORPORATE CRIME AND SENTENCING (1994).Describes criteria for evaluating compliance programs under Federal SentencingGuidelines for Organizations and the management features of effective complianceprograms.JEFFREY M. KAPLAN, JOSEPH E. MURPHY, & WINTHROP M. SWENSON, COMPLIANCE
PROGRAMS AND THE CORPORATE SENTENCING GUIDELINES: PREVENTING CRIMINAL AND
CIVIL LIABILITY (1994).Discusses the history of the Federal Sentencing Guidelines for Organizationsand the Guidelines' standards for an effective compliance program.BNA/ACCA COMPLIANCE MANUAL: PREVENTION OF CORPORATE LIABILITY (WilliamA. Beltz ed. (1996).A series of regularly issued newsletters that give an up-to-the-minute treatmentof a broad range of corporate compliance matters.CHECKLISTS FOR CORPORATE COUNSEL (William A. Hancock ed. 1992).Contains numerous checklists of compliance issues in areas such as employeerelations, OSHA compliance, environmental law, commercial law and conducting auditsand investigations.CORPORATE COMPLIANCE SERIES (1993).Ten volume set, including individual volumes on OSHA, products liability,records retention programs, ERISA, EEOC, fair hiring and firing, intellectual property,environmental and securities.CORPORATE COUNSELLOR'S DESKBOOK (Dennis J. Block & Michael A. Epsteineds. 1992).Discusses a wide variety of compliance issues in areas such as antitrust, realestate and the liability of corporate officials.CORPORATE INTERNAL INVESTIGATIONS (Dan K. Webb et al. eds. 1995).An in-depth treatment of this complex area.ARTICLESGENERALAnnotated Bibliography of ACCA Docket Articles, 13 No. 6 ACCA Docket 50(Nov./Dec. 1995).A comprehensive listing of articles of interest to corporate counsel. The listedarticles can be ordered from the American Corporate Counsel Association (seeAdditional Resources section of this bibliography for contact information).159Jim Ambrose, Laurel Burke, Lisa Horvath, Doug Penn & Monica Woods,Compliance Program Standardization: Myth or Reality?, Preventive Law Reporter,Summer 1995, at 8.
This article contrasts seven compliance programs, affording a view of how theseprograms operate in different environments.Stanley S. Arkin, Jeffrey M. Kaplan & Mark S. Cohen, Failure to Supervise:What's the Harm?, 2 No. 9 Business Crimes Bulletin: Compliance and Litigation (Oct.1995).In some industries, not only a company but its officers may face industry-specificpenalties for failures to supervise. This article identifies the importance of regulatoryrequirements -- such as those imposed under the Securities and Exchange Act -- incompelling supervision of employees through measures such as compliance programs.Colleen R. Belak, Federal Sentencing Guidelines and Corporate ComplianceSystems: A Status Report, Preventive Law Reporter, Dec. 1992, at 14.Survey of corporate compliance practices addressing the use of preventivetechniques to limit liability. Discusses control, evaluation, dissemination and scope ofcompliance programs.Harry S. Hardin, III & Andrew R. Lee, Pitfalls for In-House Counsel, 25 Brief 32(Winter 1996).This article examines the special ethical problems encountered by in-housecounsel, such as the conflicts of interest that may arise when counsel must investigatemisconduct by company officials and the interests of those officials diverge from thoseof the attorney's corporate client.Sandra L. Jamison, Federal Sentencing Guidelines and Corporate ComplianceSystems: 1993 Status Report, Preventive Law Reporter, Summer 1994, at 25.Nationwide survey conducted to compile data on the use of complianceprograms. Comparisons are provided to a similar 1992 survey, showing that programsincreasingly emphasized environmental compliance, codes of conduct and centralizedcompliance programs.Kirk S. Jordan, Lessons in Organizational Compliance: A Survey of GovernmentImposed Compliance Programs, Preventive Law Reporter, Winter 1994, at 3.This article examines programs imposed through consent decrees, permittingcompliance officers to glean information about how government officials evaluatecompliance programs.Mansfield C. Neal, GE's Compliance Program: An Overview in Practicing LawInstitute, CORPORATE COMPLIANCE: HOW TO BE A GOOD CITIZEN CORPORATION THROUGH
SELF-POLICING 317 (June 1996).160An inside view of a complex and well-established program that will be useful tomanagers of less-developed programs. Examines program components such aswritten policies, means to integrate compliance into operations and methods forcontinuous improvement in compliance.Richard H. Porter, Corporate Compliance - Implications for Counsel andCorporate Management, C900 ALI-ABA 121 (Jan. 20, 1994).A concise introduction to corporate compliance, including a discussion of thebenefits, the costs and the practical problems.Marc I. Steinberg, The Role of Inside Counsel in the 1990s: A View from Outside,49 Southern Methodist University Law Review 483 (March 1996).Today, inside counsel play a vital role not only in rendering legal advice but alsoshaping corporate policy. This article describes the changing nature of insidecounsel's position and related impacts on hiring criteria for inside counsel, counsel'srole in the boardroom and counsel's part in compliance efforts.CORPORATE COMPLIANCE TECHNIQUESGetting Your Company to Shape Up: Four Experts Share Tips on Corporate
Compliance Programs, 3 Business Law Today 46 (July/Aug. 1994).In this article, four experts on compliance programs offer general advice forimplementing a program, describe the primary benefits of an effective program andassess some of the shortfalls of the compliance program standards in the FederalSentencing Guidelines for Organizations.Ten Warnings from Veteran Compliance Officers, ABA Banking Journal 28 (Jan.1993).Veteran compliance officers present sample scenarios (and cautions) forundertaking a number of compliance activities, including spreading complianceresponsibilities, setting priorities, and using regulators as a resource.Barbara Abrams, Using Technology to Implement Compliance Programs: TheMaking of a Video in Practicing Law Institute, CORPORATE COMPLIANCE: HOW TO BE A
GOOD CITIZEN CORPORATION THROUGH SELF-POLICING 301 (June 1996).The use of videotapes in compliance training efforts has become increasinglypopular. This article assesses many of the practical considerations in making a video,including management buy-in, budget preparation, scripts and rehearsals and how totape employees.161D. Broward Craig & David S. Hershberg, To Fill Compliance Role, LawDepartment May Need to Upgrade, 16 National Law Journal S12 (Aug. 30, 1993).Faced with an ever-expanding set of compliance requirements, manycorporations are restructuring their legal departments to fulfill increasedresponsibilities. This article surveys methods for equipping a corporate law departmentto develop a risk-adverse compliance program. The article provides tips onrestructuring responsibilities, involving corporate counsel in compliance activities andmeeting staffing demands.Dana H. Freyer and Benjamin B. Klubes, A Practical Approach to Implementing aCorporate Compliance Program for Smaller Companies, Preventive Law Reporter,Winter 1994, at 33.An organization's size affects the proper design and implementation of aneffective compliance program. This article considers how small companies can tailorgeneralized compliance procedures to their particular environments.George "Chip" R. Grange II, Peter F. Rathbun & Jonathan A. Ruybalid, An UnfeltNeed Whose Time Has Come, Preventive Law Reporter, Winter 1995, at 44.Nonprofit organizations were once largely immune from legal liability andgovernmental regulation. Changes in legal and social environments have all buteliminated this protected status. This article describes how a self-initiated legal auditfor a nonprofit organization can facilitate a successful transition into the modern legalenvironment of nonprofit organizations.Nina G. Gross & Robert L. Clarke, Management of Regulatory Risk, PreventiveLaw Reporter, Summer 1995, at 34.Compliance with fair lending regulations is elusive and thus difficult to manage.New means to manage this type of compliance are presented.Richard S. Gruner, Officer and Director Liability for Inadequate Legal ComplianceSystems, Preventive Law Reporter, Summer 1995, at 6.The personal liability of directors and officers for failure to institute and maintaineffective compliance systems is described in this article, along with the types ofcompliance systems that will insulate these individuals from this liability.Richard S. Gruner, Managing Post-Offense Responses in CorporateOrganizations, Preventive Law Reporter, Dec. 1992, at 14.Post-offense responses can have a large impact on corporate liability. This
article describes steps corporate compliance officers should consider following anoffense and systematic management practices to ensure that those steps areaddressed.162Karen S. Guarino, Developing a Comprehensive Medical Records Managementand Retention Policy, 11 No. 8 HealthSpan 14 (Sept. 1994).In highly regulated health care companies, determining what records to keepand for how long is complex. This article describes how a comprehensive recordsmanagement program can assist institutions in performing audits, managing licensesand certifications and developing sound procedures for the use of records in ongoingpatient care.Thomas B. Heffelfinger, Compliance Program Checklist, Preventive LawReporter, Spring 1995, at 33.A comprehensive checklist addressing the development, use and evaluation ofcorporate compliance programs.John M. Holcomb, Preventive Maintenance: Using Business Strategies toReduce Corporate Liability, Preventive Law Reporter, Spring 1996, at 26.Common business strategies can help companies avoid or reduce legal liability.This article describes business strategies that can improve compliance, including aSWOT (Strengths, Weaknesses, Opportunities, and Threats) Analysis, a CorporateSocial Responsibility and Responsiveness Program, a Social Audit, the StakeholderApproach, and Crisis Management.Joseph A. Ingrisano & Susan A. Mathews, Practical Guide to Avoiding Failure toSupervise Liability, Preventive Law Reporter, Summer 1995, at 12.Methods to reduce potential securities law liability for failures to superviseexposure are explored.Jeffrey M. Kaplan, Five (Other) Common Mistakes in Designing andImplementing a Compliance Program in Practicing Law Institute, CORPORATE
COMPLIANCE: HOW TO BE A GOOD CITIZEN CORPORATION THROUGH SELF-POLICING 587(June 1996).Discusses common program deficiencies such as failures to empowercompliance officer. Includes suggested resources.Tom McQueen, Games Trainers Play, Preventive Law Reporter, Winter 1995, at27.Trainers face an often daunting task in attempting to educate employees aboutcorporate compliance policies and procedures. This article describes howincorporating games can make training more effective and pleasant.163Laura L. Monty, Creating a Compliance Culture in the Workplace, PreventiveLaw Reporter, Winter 1994, at 19.Corporate compliance programs typically do not account for the realities of dailybusiness management. Methods for integrating compliance with other managementpractices and thereby serving overall organizational goals are assessed in this article.Joseph E. Murphy, How to Respond to Corporate Compliance Failures, 16 ALIABACourse Materials Journal 7 (June 1992).Advises corporate counsel about planning for, responding to, and managingcorporate compliance failures.Harvey L. Pitt & Karl A. Groskaufmanis, When Good Things Happen to GoodCompanies: A Crisis Management Primer, 15 Cardozo L. Rev. 951 (1994).By developing a methodology for responding to detected offenses within acompany, corporate counsel can prevent or diminish the impact of these unfortunate
incidents. This article argues that the businesses which best respond to offensesassume that a crisis is inevitable and plan accordingly.Thomas M. Roehlk, Considerations for Diversified Firms, Preventive LawReporter, Summer 1995, at 3.A diversified firm may encounter varying compliance risks in dissimilaritiesbusiness units. This article examines steps for dealing with these dissimilar risks suchas designating a compliance officer at each business unit and developing separatecompliance program activities.Mark K. Smallhouse, Reduction in Force: Practical Measures for AvoidingLiability, Preventive Law Reporter, Spring 1996, at 13.This article examines steps a company can take to minimize liability in thecontext of workforce reductions, including developing selection criteria for layoffs,testing planned reduction steps, and finally working with laid off employees on outplacement and retraining schedules.Mark K. Smallhouse, Intel's Lawyer in a Laptop: Re-Defining CorporateCompliance Training Programs, Preventive Law Reporter, Winter 1994, at 9.Instead of using computer networks to merely distribute a compliance manual,this article describes how one company implemented an interactive software programdesigned to aid employees in understanding and managing complex legal issues.164Robert Salcido, HHS' Voluntary Disclosure Program: How to Obtain BenefitsUnder the Program While Minimizing Risk, 8 Health Lawyer 1 (Late Summer 1995).In its war against health care fraud, the government has initiated a VoluntaryDisclosure Program under which a health care provider can disclose incidents of fraudand reduce its potential liability. This article describes why, when a company learns ofpossible health care fraud, the question is often not "Should we disclose?" but rather"How do we disclose?"Lori Tansey, Five Common Mistakes in Designing and Implementing aCompliance Program in Practicing Law Institute, CORPORATE COMPLIANCE: HOW TO BE A
GOOD CITIZEN CORPORATION THROUGH SELF-POLICING 575 (June 1996).This article addresses common errors that companies make in adopting andoperating compliance programs.Don Zarin, Doing Business Under the Foreign Corrupt Practices Act: CompliancePrograms in Practicing Law Institute, CORPORATE COMPLIANCE: HOW TO BE A GOOD
CITIZEN CORPORATION THROUGH SELF-POLICING 525 (June 1996).An effective compliance program can help companies minimize their risk ofviolating the Foreign Corrupt Practices Act. This article examines basic complianceprocedures that can be tailored to address compliance risks in international trade.CORPORATE PREVENTIVE POLICIESNote, Growing the Carrot: Encouraging Effective Corporate Compliance, 109Harvard Law Review 1783 (May 1996).Instituting effective compliance programs is one of the means for corporations tomitigate sentences under the Federal Sentencing Guidelines for Organizations.Studies of corporate sentencing indicate that many of the corporations sentenced hadeither ineffective programs or no programs at all. This article argues that governmentimposedcompliance programs and industry best-practice programs provide guidancefor developing effective programs.Carole Basri & Alexis Greenberg, Industry Practice Groups -- An Approach toLessening the Antitrust Risks of Trade Associations in Corporate ComplianceBenchmarking in Practicing Law Institute, CORPORATE COMPLIANCE: HOW TO BE A GOOD
CITIZEN CORPORATION THROUGH SELF-POLICING 557 (June 1996).
Corporations increasingly use benchmarking to assist in developing and usingan effective compliance program. This article explains why antitrust requirements maybe important when benchmarking programs and setting compliance standards. Thearticle includes a "do and don't" list.165Elletta Sangrey Callahan & Terry Morehead Dworkin, Who Blows the Whistle tothe Media, and Why: Organization Characteristics of Media Whistleblowers, 32American Business Law Journal 151 (1994).This article describes the organizational circumstances leading to externalwhistleblowing. These circumstances typically include a lack of power within theorganization on the part of the whistleblower and a lack of a meaningful response tosome incident of internal misconduct. Compliance officers can use this informationabout whistleblowers to design compliance program procedures that heighten thechances that reports from potential whistleblowers will be made within their companybefore being disclosed to outside parties.Earl E. Devaney, The Exercise of Prosecutorial Discretion, C110 ALI-ABA 339(March 2, 1995).This memorandum from the Director of the EPA Office of Criminal Enforcementto all EPA employees in the agency's Criminal Enforcement Program describes caseselection criteria regarding environmental violations. These criteria turn, in part, on thepast compliance practices of the violator.Mary E. Didier & Winthrop M. Swenson, Thou Shall Not Improperly DelegateAuthority -- Thoughts on the US Sentencing Commission's "Step Three," PreventiveLaw Reporter, Winter 1995, at 9.Federal Sentencing Guidelines for Organizations reward companies that haveimplemented an "effective compliance program to prevent and detect criminal conduct."To qualify, a compliance program must include seven types of features described in theGuidelines. In this article, practitioners suggest a number of methods a company canemploy to meet the Guideline requirements.William F. Fahey, 10 Questions You Should be Prepared to Answer When YourCorporate Client Becomes Involved in a Criminal Investigation, 41 Federal Bar News &Journal 428 (July 1994).A concise discussion of practical advice for dealing with governmentinvestigations.Karl A. Groskaufmanis, Preventive Steps that Count: Ten Rules of Thumb forCorporate Compliance Programs, C110 ALI-ABA 83 (March 2, 1995).This article describes how, by taking a step back, the process of developing andimplementing a corporate compliance program can be reduced to a few simple steps.166Adrian Otten & Hannu Wager, Compliance With TRIPS: the Emerging WorldView, 29 Vanderbilt Journal of Transnational Law 391 (May 1996).TRIPS instituted multilateral standards of protection, rules of enforcement, andWorld Trade Organization procedures for the settlement of disputes. The minimumstandards of protection that each member nation must adopt create a certain uniformityfor individuals or firms that participate in intellectual property trade on an internationallevel. This article examines how awareness of the TRIPS Agreement's enforcementprocedures can prove valuable guidance for the construction of related complianceprograms aimed at the perfection and retention of intellectual property rights.Harvey L. Pitt & Karl A. Groskaufmanis, Director's Liability: No Fraud byHindsight, 14 The Corporate Board 7 (1993).As a corporate director, one should be aware of potential litigation, especially
multiple claims and shareholder's derivative suits. This article describes numerous"rules of thumb" to guide the responsible director in avoiding liability for impropercorporate disclosures and other corporate conduct.Richard Rocchini & Mark S. Olinsky, Is Your Legal Compliance Program Merelya Paper Tiger?, Corporate Legal Times 29 (June 1994).Distribution of corporate compliance policy statements, appointment of corporatecompliance officers and initiation of an employee whistleblower hotline do notnecessarily guarantee lower prosecution risks and mitigated sentences. The FederalSentencing Guidelines for Organizations require not only that the legal compliancemessage be communicated to employees, but also that the message be understoodand followed. Suggestions are offered in this article on selecting persons to trainregarding compliance, reinforcing the training, and devising a training program that willensure a compliance message reaches it's targeted audience and sticks.Howard J. Saks, Most Major Life Companies are Vigorously EnforcingCompliance Standards With Their Sales Agents, 23 Estate Planning 40 (Jan. 1996).Leading insurance companies have begun policing their own sales agents. Thisincrease in self policing follows actions by state regulators to impose significant fineson three major life insurers for misrepresentations made to policy holders regardingtheir products. Under these new self policing programs, everything from letterhead tosales presentation materials are scrutinized. This article describes why such policingefforts are time consuming, but will result in better customer relations and reducedlitigation.167Paul Allen Schott, FDICIA-Mandated Safety and Soundness Standards PoseCompliance Burdens, 14 Banking Policy Report 6 (Aug. 21, 1995).Regulatory agencies responsible for administering the Federal DepositInsurance Corporation Improvement Act of 1991 have published final guidelinesimplementing Section 132 of the Act. Section 132 requires that safety and soundnessstandards be established in three primary areas: operational and managerial, assetvaluation, and compensation. Institutions are required by the guidelines to establishtheir own standards in these ares. This article describes why this approach providesmanagement with flexibility in complying with Section 132, but places the burden ofinsuring compliance directly upon management.Kevin M. Smith & John M. Oseth, The Whistleblowing Era: A ManagementPerspective, Employee Relations Law Journal 79 (Sept. 1993).Monetary incentives and protections under modern state and federal lawsencourage employees to act as whistleblowers by disclosing corporate misconduct.This article describes why human resource managers and in-house counsel shoulddevelop coherent strategies for operating within this new whistleblower era to reducethe likelihood that misconduct will be reported externally before being brought to theattention of corporate managers. Several recommendations for internal policy,organization and monitoring strategies are offered.Karla R. Spaulding, "An Ounce of Prevention is Worth a Pound of Cure" FederalSentencing Guidelines for Organizations, 42 Federal Lawyer 35 (Sept. 1995).Federal Sentencing Guidelines for Organizations provide a scoring system fordetermining recommended sentences for convicted organizations. This articleexamines this scoring system and the organizational features that will increase ordecrease corporate sentences.Marc I. Steinberg & John Fletcher, Compliance Programs for Insider Trading, 47Southern Methodist University Law Review 1783 (July/Aug. 1994).The article reviews compliance programs in three contexts: professional firms,
financial intermediaries and publicly-held companies. Specific measures appropriatefor each situation are discussed.Gregory J. Wallance, Looking the Other Way Can Be a Crime: Is Your ForeignSales Representative Paying Bribes in Practicing Law Institute, CORPORATE
COMPLIANCE: HOW TO BE A GOOD CITIZEN CORPORATION THROUGH SELF-POLICING 551(June 1996).As American companies engage in global operations, compliance practices mayclash with cultural practices in foreign countries. This article explains why it is vital thatbusinesses address the risk posed by relying on a foreign sales representative to actas an intermediary between an American company and a foreign customer.168169Dan K. Webb, Steven F. Molo & James F. Hurst, Understanding and AvoidingCorporate and Executive Criminal Liability, 49 Business Lawyer 617 (Apr. 1994).In the last few years it has become routine for corporations to be held criminallyaccountable for the illegal acts of their employees. This article discusses whytechniques for avoiding criminal liability should be a concern for all businesses and thelawyers representing them. General principles of corporate criminal liability, theindictment process and the Federal Sentencing Guidelines for Organizations asapplied to businesses and executives are addressed. Additionally, the creation andimplementation of an effective compliance program are discussedHerbert I. Zinn, Sticks and Stones May Break Your Bones and Words Can HurtYou, Too, Preventive Law Reporter, Summer 1995, at 28.This article explains why compliance programs should encompass a range ofidentified liability and asset protection risks, not just violations of federal criminal law.Intellectual property claims are examples of liability risks that can be reduced through acarefully developed compliance program. Strategies to deal with copyright compliancerisks are outlined.INTERNAL INVESTIGATIONS AND AUDITSRoundtable Discussion: The Anatomy of a Corporate Internal Investigation, 8 No.7 Insights 15 (July 1994).Increasingly, corporations rely on internal investigations to avoid or limit legalliability. In this article, the Corporation and Securities Law Section Council of theIllinois State Bar Association discusses the goals and advantages of theseinvestigations.Ilise L. Feitshans, Through the Looking Glass: The Ethics of InternalInvestigations by In-House Counsel in Practicing Law Institute, CORPORATE
COMPLIANCE: HOW TO BE A GOOD CITIZEN CORPORATION THROUGH SELF-POLICING 711(June 1996).When conducting internal investigations, corporate counsel must address theoften conflicting rights of a corporation and its employees. This article explains thesepotential conflicts of interest and describes features of the ABA Model Rules ofProfessional Conduct and in-house codes of ethics that may provide guidance forresolving such conflicts.Alan W.H. Gourley, Protecting Corporate Information, C900 ALI-ABA 93 (Jan.20, 1994).Comprehensive compliance programs often produce sensitive information aboutcompliance problems. This article examines doctrines that may protect this informationfrom forced disclosure, including the attorney-client privilege, the work productdoctrine, and the self-evaluative privilege. It also addresses some of the possible170
impacts of compelled disclosures.171Kenneth N. Hart & Stephen D. Houck, Skeletons In the Corporate Closet, Part I:In-House Lawyers Sometimes Need To Help a Corporation Investigate Itself, 1Business Law Today 4 and 58 (May/June and July/Aug. 1992).Increasingly, in-house counsel are being asked to conduct internalinvestigations in a wide range of situations. The first part of this two-part articleaddresses when to conduct an investigation and the benefits involved. Part twodiscusses how to conduct a corporate investigation to protect the corporation fromliability.Gray G. Lynch & Douglas M. Fuchs, Conducting Internal Investigations ofPossible Corporate Wrongdoing in Practicing Law Institute, CORPORATE COMPLIANCE:HOW TO BE A GOOD CITIZEN CORPORATION THROUGH SELF-POLICING 615 (June 1996).An in-depth treatment of internal investigations, designed to help counselprepare for difficult issues endemic to in-house audits.Michael P. Kenny & William R. Mitchelson, Jr., Corporate Benefits of ProperlyConducted Internal Investigations, 11 Georgia State University Law Review 657 (June1995).Though internal investigations offer several distinct advantages they also carrysome risks. Fortunately, thoughtfully designed and implemented internal investigationprocedures and polices helps to stem these risks. This article describes how a properinvestigation can maximize an organization's opportunities to favorably resolve acontroversy over internal misconduct while preserving attorney-client and work productprivileges.Joseph E. Murphy & Ilise L. Feitshans, Protecting the Compliance Audit inPracticing Law Institute, CORPORATE COMPLIANCE: HOW TO BE A GOOD CITIZEN
CORPORATION THROUGH SELF-POLICING 667 (June 1996).Although compliance audits are key elements of effective compliance programs,they also present risks of increased liability. This comprehensive article describes howa firm can avoid creating new problems in a compliance audit. It includes a case table,bibliography and forms.Roger C. Spaeder, The Brave New World of Voluntary Disclosure, 10 No. 12Corporate Counsellor 1 (May 1996).Following a voluntary disclosure, an in-house lawyer may find herself between arock and a hard place. Recognizing that this is a difficult situation, the author examineshow counsel can balance the disparate goals of demonstrating loyalty to the targetedexecutive and obtaining a favorable resolution to the problem.172Gregory J. Wallance & Jay W. Waks, Internal Investigation of SuspectedWrongdoing by Corporate Employees in Practicing Law Institute, CORPORATE
COMPLIANCE: HOW TO BE A GOOD CITIZEN CORPORATION THROUGH SELF-POLICING 649(June 1996).This article discusses several key topics related to internal investigations,including: investigative tools, attorney-client privilege, work product privilege and theself-critical privilege. It also discusses decisions about whether legal violationsdetected in investigations should be disclosed to the government.Gregory J. Wallance, Searches and Seizures of Businesses: How CorporateCounsel can Protect Firm Interests and Rights in Practicing Law Institute, CORPORATE
COMPLIANCE: HOW TO BE A GOOD CITIZEN CORPORATION THROUGH SELF-POLICING 609(June 1996).A government investigation can paralyze the unprepared business. This article
examines why educating in-house counsel on the proper response to a surprise raidcan help to alleviate negative impacts.BUSINESS ADVANTAGES OF COMPLIANCEJohn H. Baker, Who Wants to Buy Preventive Law?, Preventive Law Reporter,Fall 1995, at 21.Marketing preventive law is no different from selling widgets. This article arguesthat, by examining the nature of their product, preventive lawyers can critically examinetheir client's reasons for buying or not buying ameliorative services.Dana Freyer & Joseph E. Murphy, Obvious Legal Risks -- Hidden BusinessRewards, C110 ALI-ABA 77 (March 2, 1995).Corporate counsel often have to "sell" management on the benefits of corporatecompliance. In addition to substantially reducing fines imposed under the FederalSentencing Guidelines for Organizations, this article examines the other businessadvantages of an effective program, including reducing insurance costs and enhancingemployee moral.Charlette A. Geffen, Public Expectations and Corporate Strategy, 3 CorporateEnvironmental Strategy 33 (1996).External systems to rate corporate performance are an important source ofinformation for both consumers and businesses. This article describes how, by gaininga perspective on public expectations, companies can effectively allocate complianceresources.173Michael E. Porter & Claas van der Linde, Green and Competitive: Ending theStalemate, Harvard Business Review, Sept./Oct. 1995, at 120.While innovating to meet regulatory requirements may have significant up frontcosts, these are often more than offset by an organization's increased ability tocompete effectively in dynamic marketplaces that value socially responsibleperformance. This article assesses some of the business advantages inherent in aachieving environmental compliance.Michael E. Porter & Claas van der Linde, Toward a New Conception of theEnvironment-Competitiveness Relationship, Journal of Economic Perspectives, Fall1995, at 97.Traditionally, the relationship between environmental regulation and industrialcompetitiveness has been regarded as a trade-off between social benefits and privatecosts. However, this article explains why a competitive advantage may be found in thecapacity to innovate and to improve the ways in which a company can meetenvironmental regulations.Peg. A. Schoenfelder, Preventive Law "Marketing Tips" for Corporate Counsel,Preventive Law Reporter, Fall 1995, at 19.To assist full implementation of preventive policies, in-house attorneys must beable to discuss not only the legal benefits but also business benefits. This articlediscusses how in-house attorneys, in promoting compliance programs, can becomepartners with management in furthering organizational goals.Lisa A. Whitney, Marketing to the Corporate Client, 13 No. 3 ACCA Docket 40(May/June 1995).To accomplish the timely use of in-house legal services, management mustregard attorneys as part of "the team." This article describes how techniques such asdrawing the client into the legal process and keeping an eye on the bottom line assist inthis process.SPECIALIZED COMPLIANCE PROGRAMSAntitrust
Theodore L. Banks, Using Technology to Teach Effective Antitrust Compliance, 9Antitrust 37 (Summer 1995).This article examines how antitrust counsel can use new technologies such ascomputer networks and audio-visual aids to deliver a compliance message in amemorable and painless fashion.Ann Fingarette Hasse, Workplan for Developing an Antitrust ComplianceProgram, 891 Practicing Law Institute/Corporate Law 941 (Jan. 1995).174Practical tips are offered for developing an effective antitrust complianceprogram. Kirk S. Jordan & Edward O'Correia, A Model Antitrust Compliance Manual(Part 1 and Part 2), 6 and 7 The Practical Lawyer 61 and 83 (Sept. 1994 and Oct.1994).An antitrust compliance manual, a vital part of an effective antitrust complianceprogram, must be tailored to each organization. Part one of this article covers theprovisions of a model antitrust manual, a summary of antitrust law, relationships withcompetitors and standards of conduct. Part two discusses price discrimination,monopolization and activity reporting requirements.Joseph E. Murphy, Surviving The Antitrust Compliance Audit, 59 Antitrust LawJournal 953 (1991).Improperly conducted compliance audits provide fuel for litigation. A discussionof the limitations of the attorney work-product, attorney client, and self-evaluativeprivileges is followed by eighteen useful tips to avoid entrapment while conducting acompliance audit.Steven P. Reynolds, Guide from the Trenches: Using Training as a Tool forAntitrust Compliance, Preventive Law Reporter, Spring 1996, at 33.Continually training clients about changing antitrust laws fosters an environmentsupporting compliance. This article describes how advances in desktop publishing,videos, and learning styles can be used to relay important compliance information andtraining.Steven P. Reynolds, A Survey of Best Practices, Innovative CommunicationsTechniques for Corporate Antitrust Compliance, 9 Antitrust 33 (Fall 1994).By examining communications techniques in a wide range of corporate legaldepartments, counsel can determine the most effective methods for training employeesand disseminating information. This article describes a number of these techniques inthe context of antitrust compliance training.George Vetter & Howard A. Merten, Aftermarket Aftershock: Assessing Kodak'sEffect on Business Planning for Parts and Service, Preventive Law Reporter, Spring1996, at 8.By tightly controlling parts and service to ensure quality, thus alienating a thirdparty'sability to get parts or service products, a company can find themselvesembroiled in antitrust problems. Examining the Kodak decision, this article describespractical tips a company can use to maintain proper control over parts and service.175Environmental LawEPA Report Charts Environmental Compliance At Federal Facilities for FY 1993-1994, 4-16-96 West's Legal News 2201, 1996 WL 259899.The EPA has compiled a chart describing the compliance performance of certainfederal facilities. This chart is a valuable tool for identifying potential complianceissues that will be useful to a business or public entity that is performing its ownenvironmental audits. The EPA chart analyzes federal facilities under eight differentenvironmental statutes and is available on the Internet at the following address:
http://www.epa.gov/docs/PressReleases/1996/April/Day-12/pr-636.html.Lawrence S. Bacow & Michael Wheeler, Binding Parties to Agreements inEnvironmental Disputes, 2 Villanova Environmental Law Journal 99 (1991).Negotiation can resolve an environmental dispute swiftly and efficiently. Inthose cases where a party does not abide by a negotiated agreement, enforcementmechanisms described in this article will be well suited to environmental enforcementneeds. These mechanisms include: structured implementation, contingent agreements,monitoring devices, and substituted performance.Judy Cook & Brenda J. Seith, Environmental Training: It's the Law, 3 Journal ofEnvironmental Regulation 141 (Winter 1993/94).This article explains how an effective employee training program preventsviolations and increases awareness of health risks. It also considers why a proactivelyaddressing training will reduce liability if outside agencies are involved.David R. Erickson & Sarah D. Mathews, Environmental Compliance Audits:Analysis of Current Law, Policy and Practical Considerations to Best Protect TheirConfidentiality, 63 University of Missouri Kansas City Law Review 491 (Summer 1995).This article describes why a self-audit is one of the most effective means bywhich a company can investigate compliance problems and take proactive steps tocomply with environmental laws and regulations. The article also explains why theconfidentiality of self-audits is not guaranteed and discusses how attorneys and theirclients can take measures to increase the likelihood that internal environmental auditsremain confidential.Scott C. Fulton & Lawrence I. Sperling, The Network of EnvironmentalEnforcement and Compliance Cooperation in North America and the WesternHemisphere, 30 International Lawyer 111 (Spring 1996).This article explains why the development of a North American environmentalenforcement network has created a system more compatible with standard U.S.practices. With the passage of the New Trilateral Enforcement Network, each countrynow has an obligation to effectively enforce its environmental laws. Companies dealingin trade that has an environmental impact in either Canada, the U.S., or Mexico should176be aware of each countries' environmental regulations.Daniel L. Goezler, Management's Discussion and Analysis and EnvironmentalDisclosure, Preventive Law Reporter, Summer 1995, at 18.Management's Discussion and Analysis (MD&A) disclosures require companymanagers to provide investors with more than a numerical picture of factors affecting acorporation's continued viability. Disclosures must enable an investors to compare acorporation's past and future performance. The MD&A requirements are explained andanalyzed in the context of environmental performance.Barry Goode, Patrick Cavanaugh & Trent Norris, The Environmental Self-AuditPrivilege: A Bibliography, C110 ALI-ABA 475 (March 2, 1995).Includes federal agency policies, cases and commentaries.Thomas A. Hemphill, Corporate Environmentalism and Self-Regulation: KeepingEnforcement Agencies at Bay, 3 Journal of Environmental Regulation 145 (Winter1993/94).This article argues that corporate environmentalism is an emerging managerialstrategy that represents corporate commitment to environmental responsibility and atranslation of that commitment into action. The article offers: (1) a model environmentalcompliance program; (2) business policies, programs and conduct codes; and (3)recommendations for implementing self-regulatory business strategies.Margaret M. Menicucci, Environmental Regulation of Health Care Facilities: A
Prescription for Compliance, 47 Southern Methodist University Law Review 537(Mar./Apr. 1994).Federal and state regulations regarding hazardous and radioactive medicalwastes and worker safety have a significant impact on health care companies. Thisarticle describes how a medical waste generator can assess its waste managementneeds and practices, become knowledgeable about federal and state regulatoryrequirements, implement employee training programs, have a central location forrecords and documents and conduct a facility audit and environmental assessment ofthe property.Mark C. Posson, The Risks and Benefits of Outsourcing EnvironmentalManagement, 3 Corporate Environmental Strategy 5 (1996).This article explains the compliance risks inherent in efforts to outsourceenvironmental management programs.Robert L. Ringstrom & Paul G. Anderson, An Environmental ComplianceChecklist for Real Estate Practitioners, 25 Colorado Lawyer 61 (Jan. 1996).Environmental Site Assessments (ESAs) are valuable mechanisms for assessinga property's environmental condition. This article describes how an ESA, combined177with an environmental property audit, can evaluate the status of compliance withenvironmental regulations. This evaluation can minimize risks to current propertyowners by indicating what remedial steps should be taken. For prospective propertyowners, ESAs and audits can uncover potential sources of liability for hazardous wastecleanups.John Voorhees, New EPA Policy: Incentives Promote Audits and ManagementSystems, Preventive Law Reporter, Spring 1996, at 4.This article examines the ways that the EPA's new policy encouragesbusinesses to establish comprehensive environmental auditing and complianceprograms. Through audits and internal compliance programs, voluntary and promptdisclosure of a violation (in advance of its detection through an external inspection,investigation, or information request), and remediation within 60 days of discovery of aviolation, a company can avoid civil and criminal penalties.ADDITIONAL RESOURCESAmerican Corporate Counsel Association1225 Connecticut, N.W.Washington, DC 20036(202) 296-4522Publishes a monthly newsletter covering issues of interest to in-house counsel.Corporate Legal Times3 East Huron StreetChicago, IL 60611(312) 654-3500A national monthly newspaper on managing in-house corporate legal departments.Corporate Conduct Quarterly401 Cooper StreetCamden, NJ 08102(609) 225-6353; FAX (609) 225-6559A practical guide for corporate ethics and compliance.Ethics Officer AssociationCenter for Business EthicsBentley College175 Forest Street
Waltham, MA 02154-4705(617) 891-2575National Center for Preventive Law1781900 Olive StreetDenver, CO 80220(303) 871-6415; FAX (303) 871-6001Publishes the Preventive Law Reporter and provides reference and educationalservices concerning compliance issues.179United States Sentencing CommissionOne Columbus Circle, NESuite 2-500, South LobbyWashington, DC 20002-8002(202) 273-4500; FAX (202) 273-4529Publishes annual report which contains a comprehensive view of sentencing practicesunder the Federal Sentencing Guidelines for both individuals and organizations.
Related Documents
